fix(deps): bump authlib to >=1.6.12 to patch PYSEC-2026-188

[greysonlalonde]

PYSEC-2026-188 affects authlib <1.6.12. Workspace override pinned authlib >=1.6.11; bump to >=1.6.12 and relock (resolved to 1.7.2).

---

Note

Low Risk
Dependency-only security pin with lockfile refresh; authlib is not directly referenced in workspace source, though OAuth-related transitive behavior may change on the 1.6.x→1.7.x jump.

Overview
Bumps the tool.uv override for authlib from >=1.6.11 to >=1.6.12, with an updated comment noting PYSEC-2026-188 alongside the existing CSRF advisory.

uv.lock reflects the relock: authlib 1.6.11 → 1.7.2, a new transitive dependency joserfc, and a no-op exclude-newer placeholder for backwards compatibility with relative exclude-newer settings.

^{Reviewed by Cursor Bugbot for commit de74b71. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated authlib dependency to a newer patched version for improved security and stability.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d6416c05-f62d-491d-b1d0-0452411d46ac

📥 Commits

Reviewing files that changed from the base of the PR and between ee70702 and de74b71.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

This PR updates the authlib dependency constraint from version >=1.6.11 to >=1.6.12 in pyproject.toml, including the coordinated security comment that documents the vulnerability fix threshold.

Changes

Authlib Version Bump

Layer / File(s)	Summary
Update authlib minimum version pyproject.toml	The authlib version constraint in tool.uv.override-dependencies is increased to >=1.6.12, and the security comment at line 189 is updated to reference the new minimum patched version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

size/XS

Suggested reviewers

• joaomdmoura

Poem

🐰 A patch so small, yet mighty and bright,
Authlib hops forward to version new light,
Comments aligned, constraints now refined,
Security patched with precision in mind!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the main change: bumping authlib dependency to patch PYSEC-2026-188 security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gl/fix/bump-authlib-cve

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}