Skip to content

v1346+srv688.web506

v1346+srv688.web506: deps(py): bump the uv-prod-minor-patch group with 3 updates (#1757)
@dependabot dependabot tagged this 26 May 15:20 
Bumps the uv-prod-minor-patch group with 3 updates:
[elevenlabs](https://github.com/elevenlabs/elevenlabs-python),
[pyjwt](https://github.com/jpadilla/pyjwt) and
[uuid-utils](https://github.com/aminalaee/uuid-utils).

Updates `elevenlabs` from 2.47.0 to 2.49.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/elevenlabs/elevenlabs-python/releases">elevenlabs's
releases</a>.</em></p>
<blockquote>
<h2>v2.49.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add publish environment and remove unnecessary workflow by <a
href="https://github.com/PaulAsjes"><code>@​PaulAsjes</code></a> in <a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/pull/791">elevenlabs/elevenlabs-python#791</a></li>
<li>SDK regeneration by <a
href="https://github.com/fern-api"><code>@​fern-api</code></a>[bot] in
<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/pull/792">elevenlabs/elevenlabs-python#792</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/elevenlabs/elevenlabs-python/compare/v2.48.0...v2.49.0">https://github.com/elevenlabs/elevenlabs-python/compare/v2.48.0...v2.49.0</a></p>
<h2>v2.48.0</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: add speech_engine_custom.py to .fernignore by <a
href="https://github.com/kraenhansen"><code>@​kraenhansen</code></a> in
<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/pull/789">elevenlabs/elevenlabs-python#789</a></li>
<li>:herb: Fern Regeneration -- May 18, 2026 by <a
href="https://github.com/fern-api"><code>@​fern-api</code></a>[bot] in
<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/pull/790">elevenlabs/elevenlabs-python#790</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/elevenlabs/elevenlabs-python/compare/v2.47.0...v2.48.0">https://github.com/elevenlabs/elevenlabs-python/compare/v2.47.0...v2.48.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/elevenlabs/elevenlabs-python/commit/40399dd800190ac3a3af8c516d282ce572e0a26c"><code>40399dd</code></a>
SDK regeneration (<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/issues/792">#792</a>)</li>
<li><a
href="https://github.com/elevenlabs/elevenlabs-python/commit/6cdc807dbce06ea8b7e9037f018adb6816f39236"><code>6cdc807</code></a>
Add publish environment and remove unnecessary workflow (<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/issues/791">#791</a>)</li>
<li><a
href="https://github.com/elevenlabs/elevenlabs-python/commit/a8b4b1cf1429a08facfdc5e9922698c4dc0688c5"><code>a8b4b1c</code></a>
SDK regeneration (<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/issues/790">#790</a>)</li>
<li><a
href="https://github.com/elevenlabs/elevenlabs-python/commit/733193b0b1f100f58469fc900c8a78878309f2ef"><code>733193b</code></a>
fix: add speech_engine_custom.py to .fernignore (<a
href="https://redirect.github.com/elevenlabs/elevenlabs-python/issues/789">#789</a>)</li>
<li>See full diff in <a
href="https://github.com/elevenlabs/elevenlabs-python/compare/v2.47.0...v2.49.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `pyjwt` from 2.12.1 to 2.13.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.13.0</h2>
<h1>PyJWT 2.13.0 — Security Release</h1>
<p>This release bundles five security fixes plus three additional
hardening / spec-compliance changes. We recommend all users upgrade.</p>
<h2>Security</h2>
<ul>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a>
— JWK JSON accepted as HMAC secret (algorithm confusion).</strong>
<code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and
SSH-formatted asymmetric keys but did not catch a JWK passed as a raw
JSON string. In a verifier configured with both symmetric and asymmetric
algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key,
an attacker could forge HS256 tokens using the JWK text as the HMAC
secret. The guard has been extended to reject any JWK-shaped JSON.
<em>Reported by <a
href="https://github.com/aradona91"><code>@​aradona91</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a>
— Algorithm allow-list bypass with <code>PyJWK</code> /
<code>PyJWKClient</code>.</strong> When verifying with a
<code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list
was checked against the token header <code>alg</code> as a string only;
actual verification used the algorithm bound to the <code>PyJWK</code>.
An attacker who controlled a registered JWKS key could sign with one
algorithm and advertise another on the header. PyJWT now requires the
token header <code>alg</code> to match the <code>PyJWK</code>'s
algorithm before verification. <em>Reported by <a
href="https://github.com/sushi-gif"><code>@​sushi-gif</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a>
— DoS via base64 decode of unused payload segment when
<code>b64=false</code>.</strong> For detached-payload JWS
(<code>b64=false</code>), the compact-form payload segment was
base64-decoded before being discarded in favor of the caller-supplied
<code>detached_payload</code>. An attacker could inflate the unused
segment to force CPU + memory cost without holding a valid signature.
The segment is now required to be empty per RFC 7515 Appendix F, and is
no longer decoded. <em>Reported by <a
href="https://github.com/thesmartshadow"><code>@​thesmartshadow</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a>
— <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong>
<code>PyJWKClient.fetch_data</code> passed its URI to
<code>urllib.request.urlopen</code>, which by default also handles
<code>file://</code>, <code>ftp://</code>, and <code>data:</code>
schemes. An application that fed an attacker-influenced URI into
<code>PyJWKClient</code> could be coerced into reading local files or
reaching other unintended schemes. <code>PyJWKClient</code> now rejects
any URI whose scheme isn't <code>http</code> or <code>https</code>.
<em>Reported by <a
href="https://github.com/KEIJOT"><code>@​KEIJOT</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a>
— <code>PyJWKClient</code> cache wiped on fetch error.</strong> A
<code>finally</code>-block <code>put(jwk_set=None)</code> cleared the
JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint
outage into application-wide auth failure. The cache write was moved
into the success path; transient errors no longer evict valid cached
keys. <em>Reported by <a
href="https://github.com/eddieran"><code>@​eddieran</code></a>.</em></p>
</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Reject empty HMAC keys outright in
<code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code>
instead of accepting them with only a warning. Defends against the
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code> footgun.
<em>Thanks to <a
href="https://github.com/SnailSploit"><code>@​SnailSploit</code></a> and
<a href="https://github.com/spartan8806"><code>@​spartan8806</code></a>
for the reports.</em></li>
<li>Forward per-call <code>options</code> (including
<code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code>
through to <code>PyJWS._verify_signature</code>. The option was
previously silently dropped between the two layers, so it only took
effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a
href="https://github.com/WLUB"><code>@​WLUB</code></a> for the
report.</em></li>
<li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong>
the encoder now auto-adds <code>&quot;b64&quot;</code> to
<code>crit</code>, and the decoder rejects tokens that set
<code>b64=false</code> without listing it in <code>crit</code>.
<em>Thanks to <a
href="https://github.com/MachineLearning-Nerd"><code>@​MachineLearning-Nerd</code></a>
for the report.</em></li>
</ul>
<h2>Changed</h2>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups, by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li>
</ul>
<h2>Upgrade notes</h2>
<p>Most fixes are invisible to correctly-configured callers. A few
behavioral changes you may encounter:</p>
<ul>
<li><strong>Empty HMAC keys now raise.</strong> If your app passed
<code>&quot;&quot;</code> or <code>b&quot;&quot;</code> as a secret
(often via a missing env var, e.g.
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code>),
<code>encode</code>/<code>decode</code> will now raise
<code>InvalidKeyError</code>. This is the intended behavior — fix the
configuration.</li>
<li><strong><code>PyJWK</code> decoding now requires the token's
<code>alg</code> to match the JWK's algorithm.</strong> Previously a
mismatch was silently honored if the header <code>alg</code> appeared in
the allow-list. Tokens that relied on this mismatch will now fail with
<code>InvalidAlgorithmError</code>.</li>
<li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at
construction time.</strong> Tests or dev environments that fetched JWKS
from <code>file://</code> URIs need to switch to a local HTTP server or
load the JWKS by other means (e.g. construct
<code>PyJWKSet.from_dict(...)</code> directly).</li>
<li><strong><code>b64=false</code> tokens are now strictly RFC 7515 /
7797 compliant.</strong> Tokens with a non-empty compact-form payload
segment, or that omit <code>&quot;b64&quot;</code> from
<code>crit</code>, will be rejected. PyJWT-produced tokens always
satisfy both invariants, so round-trips through PyJWT are
unaffected.</li>
<li><strong><code>enforce_minimum_key_length</code> set per-call now
takes effect.</strong> Callers who passed
<code>options={&quot;enforce_minimum_key_length&quot;: True}</code> to
<code>jwt.decode()</code> previously got no enforcement; they will now
get <code>InvalidKeyError</code> on undersized keys, as documented.</li>
</ul>
<p><strong>Full changelog:</strong> <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.13.0
&lt;https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0&gt;</code>__</h2>
<p>Security</p>
<pre><code>
- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
`GHSA-xgmm-8j9v-c9wx
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx&gt;`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
by @sushi-gif in `GHSA-jq35-7prp-9v3f
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f&gt;`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
influenced URIs cannot read local files or reach unintended schemes via
urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
by @KEIJOT in `GHSA-993g-76c3-p5m4
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4&gt;`__.
- Preserve the cached JWK Set on fetch errors in
``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
on any transient outage, turning one bad JWKS request into application-
wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8&gt;`__.
- Skip the unconditional base64 decode of the compact-form payload
segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
`GHSA-w7vc-732c-9m39
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39&gt;`__.
<p>Fixed</p>
<pre><code>
- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including
``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
``&amp;quot;b64&amp;quot;`` to the ``crit`` header parameter, and the
decoder rejects
tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed
</code></pre>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in
<code>[#1152](https://github.com/jpadilla/pyjwt/issues/1152)
&amp;lt;https://github.com/jpadilla/pyjwt/pull/1152&amp;gt;</code>__
</code></pre></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/7144e4534c34810f4525dc4578a32addd8212cff"><code>7144e45</code></a>
Apply ruff format</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/d2f4bec4963897c0ef96ef64a875894f2c8542ab"><code>d2f4bec</code></a>
Restore <code>cast()</code> calls with cross-version <code>type:
ignore</code> for <code>prepare_key</code></li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/22f478cebddd8294259c30f037ecb92b0b348774"><code>22f478c</code></a>
Remove redundant casts in <code>RSAAlgorithm.prepare_key</code> and
`ECAlgorithm.prepare...</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81"><code>95791b1</code></a>
Bundle security fixes and hardening into 2.13.0</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/dcc27a9d3182a2349c30b160758785c6ce7a6508"><code>dcc27a9</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1155">#1155</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/9d08a9a1896845ed8eaf88e6f6ac61e5800c3e7a"><code>9d08a9a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1146">#1146</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/b87c10014d4109f0214fea188d00faaaf8a80e64"><code>b87c100</code></a>
Bump codecov/codecov-action from 5 to 6 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1154">#1154</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/40e3147eb5f790d8d041772e5fc00728a176c812"><code>40e3147</code></a>
Migrate development extras to dependency groups (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1152">#1152</a>)</li>
<li>See full diff in <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `uuid-utils` from 0.15.0 to 0.16.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aminalaee/uuid-utils/releases">uuid-utils's
releases</a>.</em></p>
<blockquote>
<h2>0.16.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Optimize uuid_utils.compat with <code>from_int</code> by <a
href="https://github.com/aminalaee"><code>@​aminalaee</code></a> in <a
href="https://redirect.github.com/aminalaee/uuid-utils/pull/166">aminalaee/uuid-utils#166</a></li>
<li>fix: return version None for non-RFC UUIDs by <a
href="https://github.com/aminalaee"><code>@​aminalaee</code></a> in <a
href="https://redirect.github.com/aminalaee/uuid-utils/pull/163">aminalaee/uuid-utils#163</a></li>
<li>Validate <code>node</code> argument out of range in constructor by
<a href="https://github.com/aminalaee"><code>@​aminalaee</code></a> in
<a
href="https://redirect.github.com/aminalaee/uuid-utils/pull/164">aminalaee/uuid-utils#164</a></li>
<li>Drop Python3.9 by <a
href="https://github.com/aminalaee"><code>@​aminalaee</code></a> in <a
href="https://redirect.github.com/aminalaee/uuid-utils/pull/168">aminalaee/uuid-utils#168</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/aminalaee/uuid-utils/compare/0.15.0...0.16.0">https://github.com/aminalaee/uuid-utils/compare/0.15.0...0.16.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/5fbd5e6eec51fe20faa3fc67c1274ed7abd9388d"><code>5fbd5e6</code></a>
Version 0.16.0 (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/169">#169</a>)</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/24438fb3ed80a2e565addedf5cb63e9032319a2c"><code>24438fb</code></a>
Drop Python3.9 (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/168">#168</a>)</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/2bc4813859608bd09cc7335a70174eff5c31f037"><code>2bc4813</code></a>
Migrate to Zensical (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/167">#167</a>)</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/cf0bdf46b63c66faf42d8543bb89976a1da52abf"><code>cf0bdf4</code></a>
Switch mypy to ty</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/304700ea6c74d9c60a8e5dff1342893c3b85fb4d"><code>304700e</code></a>
chore: minor improvements for consistency</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/0aeb1d4f68fec5bf2eb221886f60bdd6325f3a53"><code>0aeb1d4</code></a>
Fix benchmark URL in README</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/49ca99d5e386a24729d7b0aa6d1c9c0802b7218d"><code>49ca99d</code></a>
Optimize uuid_utils.compat with <code>from_int</code> (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/166">#166</a>)</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/c6b04aaa294b5ce7463a50d84715cf963eac14f6"><code>c6b04aa</code></a>
Validate <code>node</code> argument out of range in constructor (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/164">#164</a>)</li>
<li><a
href="https://github.com/aminalaee/uuid-utils/commit/f3faea976cd6b60ff078f23f86ef919b75b319dc"><code>f3faea9</code></a>
fix: return version None for non-RFC UUIDs (<a
href="https://redirect.github.com/aminalaee/uuid-utils/issues/163">#163</a>)</li>
<li>See full diff in <a
href="https://github.com/aminalaee/uuid-utils/compare/0.15.0...0.16.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Assets 2
Loading