chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/terminus_env#786
chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/terminus_env#786dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [authlib](https://github.com/authlib/authlib) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.7.0...1.7.1) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Dependencies
python:uv
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review (automated)
Tier 1 (bugs/lint): None. Minimal patch bump (+3/-3) touching only envs/terminus_env/uv.lock: authlib 1.7.0 -> 1.7.1, a bugfix release that also patches an unvalidated redirect_uri redirect in OpenIDImplicitGrant/OpenIDHybridGrant (security-relevant, worth taking). Verified the diff contains no unrelated openenv-core -> openenv rename — unlike #780, this lockfile still references openenv-core.
Tier 2 (alignment): None.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Tier 1 (correctness): Clean lockfile bump of authlib 1.7.0 → 1.7.1 in envs/terminus_env/uv.lock. Version string, sdist (URL + sha256 + size + upload-time) and wheel (URL + sha256 + size + upload-time) are all updated together and consistent with the 1.7.1 artifacts — no partial edits or stale hashes.
Tier 2 (alignment): No Python source touched; no OpenEnv invariant or principle implicated. Scope matches the title exactly (one file). Upstream 1.7.1 is a bugfix release (JOSE deprecation-warning fix + an OIDC redirect_uri validation fix).
Verdict: approve — routine, internally-consistent dependency bump.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review
Automated checks (changed files): Lint PASS | Debug code CLEAN
Tier 1 — bugs / correctness
None. Single-line patch bump in envs/terminus_env/uv.lock (authlib 1.7.0 → 1.7.1). sdist + wheel hashes and sizes are internally consistent; lockfile format is valid.
Tier 2 — alignment
None. authlib is a transitive dependency (via fastmcp), not a direct/pinned dep in pyproject.toml. No source changes; no invariant touched (dual-API boundary, agent isolation, client-server separation, rewards-in-environment).
Verdict: approve — safe to merge once CI passes.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Routine authlib patch bump (1.7.0 -> 1.7.1) scoped entirely to envs/terminus_env/uv.lock. Only the version, sdist URL/hash, and wheel URL/hash change; no source files, manifests, or other environments touched. Hashes are well-formed and the size delta is consistent with a patch release. No Tier 1 or Tier 2 concerns.
Verdict: approve
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review
Diff scope verified: Exclusively a lockfile update in envs/terminus_env/uv.lock — version string, sdist URL/hash, and wheel URL/hash changed from authlib 1.7.0 to 1.7.1. No source, config, or logic touched.
Tier 1 (mechanical): No issues.
Tier 2 (alignment): No concerns. A patch-level lockfile bump of an auth library has no interaction with OpenEnv's architectural invariants (agent isolation, dual API boundary, client-server separation, rewards-inside-environment).
LGTM.
Automated review by Claude Code | Learn more
|
Rolled into #789 so maintainers can review and merge the env Dependabot updates together. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
2 participants
Bumps authlib from 1.7.0 to 1.7.1.
Release notes
Sourced from authlib's releases.
Commits
485016achore: bump to 1.7.17b4ecd7fix: redirecting to unvalidated redirect_uri on InvalidScopeError in OIDC grantsc304a21Merge pull request #881 from azmeuk/880-deprecation-warnings4165adafix: authlib.jose deprecation warning poping from _joserfc_helpersDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.