Skip to content

[build] Fix exclude path to not format libbacktrace#207

Merged
jberdine merged 1 commit into
SkipLabs:mainfrom
jberdine:fix-fmt
Apr 16, 2024
Merged

[build] Fix exclude path to not format libbacktrace#207
jberdine merged 1 commit into
SkipLabs:mainfrom
jberdine:fix-fmt

Conversation

@jberdine
Copy link
Copy Markdown
Contributor

@jberdine jberdine commented Apr 16, 2024

No description provided.

@jberdine jberdine merged commit 946eea5 into SkipLabs:main Apr 16, 2024
@jberdine jberdine deleted the fix-fmt branch April 16, 2024 12:33
mbouaziz added a commit that referenced this pull request May 22, 2026
@mbouaziz @claude
Bump PyJWT to 2.13.0 in /examples/{cache_invalidation,blogger}/web_se…
2f9fe94 
…rvice

Clears Dependabot alert #207 (GHSA-752w-5fwx-jx9f, PyJWT accepts unknown
`crit` header extensions, patched in 2.12.0). The alert was created
2026-03-14 against PyJWT==2.8.0 and never auto-closed after PRs #1144
and #1145 bumped to 2.12.0; updating to 2.13.0 (latest) re-triggers
Dependabot's scan and is itself a security release covering five
additional CVEs (JWK-as-HMAC-secret, PyJWK alg bypass, base64 DoS, etc.)
— none of which affect these apps' plain-string-secret + HS256 flow,
but worth picking up.

Bumping both web_service examples in lockstep since they were paired in
the original PyJWT 2.8.0 -> 2.12.0 bump.

Verified import + HS256 algorithm registration on Python 3.10 (system)
and 3.12 (Dockerfile base) maps to the same code path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mbouaziz added a commit that referenced this pull request May 22, 2026
@mbouaziz @claude
Bump PyJWT to 2.13.0 in /examples/{cache_invalidation,blogger}/web_se…
1bd85a3 
…rvice

Clears Dependabot alert #207 (GHSA-752w-5fwx-jx9f, PyJWT accepts unknown
`crit` header extensions, patched in 2.12.0). The alert was created
2026-03-14 against PyJWT==2.8.0 and never auto-closed after PRs #1144
and #1145 bumped to 2.12.0; updating to 2.13.0 (latest) re-triggers
Dependabot's scan and is itself a security release covering five
additional CVEs (JWK-as-HMAC-secret, PyJWK alg bypass, base64 DoS, etc.)
— none of which affect these apps' plain-string-secret + HS256 flow,
but worth picking up.

Bumping both web_service examples in lockstep since they were paired in
the original PyJWT 2.8.0 -> 2.12.0 bump.

Verified import + HS256 algorithm registration on Python 3.10 (system)
and 3.12 (Dockerfile base) maps to the same code path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mbouaziz added a commit that referenced this pull request May 22, 2026
@mbouaziz
Bump PyJWT to 2.13.0 in /examples/cache_invalidation/web_service (#1227)
346069b 
## Summary
Clears Dependabot alert
[#207](https://github.com/SkipLabs/skip/security/dependabot/207) —
[GHSA-752w-5fwx-jx9f](GHSA-752w-5fwx-jx9f)
(PyJWT accepts unknown `crit` header extensions, patched in 2.12.0).

The alert was raised 2026-03-14 against `PyJWT==2.8.0`. [PR
#1144](#1144) bumped to 2.12.0 (the
first patched version) on 2026-05-20, but Dependabot never auto-closed
the alert. Bumping to **2.13.0** (latest) forces a re-scan and is itself
a security release: 5 additional CVEs fixed plus 3 hardening changes
(JWK-as-HMAC-secret algorithm confusion, PyJWK/PyJWKClient algorithm
allow-list bypass, base64 DoS, etc.).

## Compatibility
This app's PyJWT usage is the basic plain-string-secret + HS256 flow:
- `jwt.encode(token_data, JWT_SECRET, algorithm="HS256")`
- `jwt.decode(token, JWT_SECRET, algorithms=["HS256"])`
- `except jwt.ExpiredSignatureError` / `except jwt.InvalidTokenError`

None of the 2.13.0 changes touch these APIs — the security fixes are
around JWK/PyJWK paths we don't use.

Verified `import jwt; HS256 algorithm registered` cleanly with PyJWT
2.13.0 on Python 3.10 (system) — the Dockerfile uses Python 3.12.13
which exercises the same code path.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@beauby beauby beauby approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jberdine @beauby