Skip to content

build(deps): bump the pip group across 2 directories with 3 updates#1142

Merged
inimaz merged 1 commit intomasterfrom
dependabot/pip/pip-1265058d90
Mar 26, 2026
Merged

build(deps): bump the pip group across 2 directories with 3 updates#1142
inimaz merged 1 commit intomasterfrom
dependabot/pip/pip-1265058d90

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026

Bumps the pip group with 3 updates in the / directory: authlib, ecdsa and pyasn1.
Bumps the pip group with 3 updates in the /requirements directory: authlib, ecdsa and pyasn1.

Updates authlib from 1.6.8 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

  • Not using header's jwk automatically
  • Add ES256K into default jwt algorithms
  • Remove deprecated algorithm from default registry
  • Generate random cek when cek length doesn't match
Changelog

Sourced from authlib's changelog.

Version 1.6.9

Released on Mar 2, 2026

  • Not using header's jwk automatically.
  • Add ES256K into default jwt algorithms.
  • Remove deprecated algorithm from default registry.
  • Generate random cek when cek length doesn't match.
Commits
  • 9266eaa chore: release 1.6.9
  • b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
  • 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
  • 5be3c51 fix(jose): add ES256K into default jwt algorithms
  • 48b345f fix(jose): remove deprecated algorithm from default registry
  • a5d4b2d fix(jose): do not use header's jwk automatically
  • See full diff in compare view

Updates ecdsa from 0.19.1 to 0.19.2

Release notes

Sourced from ecdsa's releases.

0.19.2

Bug fixes:

  • Fix CVE-2026-33936, a DER parsing issue in remove_octet_string(), remove_constructed(), and remove_implitic() where a truncated buffer wasn't detected. This can lead to high level functions, like SigningKey.from_der() to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))

Maintenance:

  • Update CI to use newer version of Ubuntu.
Changelog

Sourced from ecdsa's changelog.

  • Release 0.19.2 (26 Mar 2026)

Bug fixes:

  • Fix CVE-2026-33936, a DER parsing issue in remove_octet_string(), remove_constructed(), and remove_implitic() where a truncated buffer wasn't detected. This can lead to high level functions, like SigningKey.from_der() to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))

Maintenance:

  • Update CI to use newer version of Ubuntu.

  • Release 0.19.1 (13 Mar 2025)

New API:

  • der.remove_implitic and der.encode_implicit for decoding and encoding DER IMPLICIT values with custom tag values and arbitrary classes

Bug fixes:

  • Minor fixes around arithmetic with curves that have non-prime order (useful for experimentation, not practical deployments)
  • Fix arithmetic to work with curves that have (0, 0) on the curve
  • Fix canonicalization of signatures when s is just slightly above half of curve order

Maintenance:

  • Dropped official support for Python 3.5 (again, issues with CI, support for Python 2.6 and Python 2.7 is unchanged)

  • Officialy support Python 3.12 and 3.13 (add them to CI)

  • Removal of few more unnecessary six.b literals (Alexandre Detiste)

  • Fix typos in warning messages

  • Release 0.19.0 (08 Apr 2024)

New API:

  • to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

  • Support for twisted Brainpool curves

Doc fix:

  • Fix curve equation in glossary
  • Documentation for signature encoding and signature decoding functions

Maintenance:

  • Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is

... (truncated)

Commits
  • bd66899 Merge commit from fork
  • 9c046ee tests: reject truncated DER lengths
  • acc40fd der: reject truncated lengths in octet/implicit/constructed
  • 55aca78 Merge pull request #363 from gstarovo/ubuntu20-deprecation
  • c4f0df1 chore: change to ubuntu-22 since u-20 is deprecated
  • See full diff in compare view

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

  • Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
  • Fixed OverflowError from oversized BER length field.
  • Fixed DeprecationWarning stacklevel for deprecated attributes.
  • Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

Commits
  • af65c3b Prepare release 0.6.3
  • 5a49bd1 Merge commit from fork
  • 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
  • 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
  • d7cb42d Fix OverflowError from oversized BER length field (#100)
  • See full diff in compare view

Updates authlib from 1.6.8 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

  • Not using header's jwk automatically
  • Add ES256K into default jwt algorithms
  • Remove deprecated algorithm from default registry
  • Generate random cek when cek length doesn't match
Changelog

Sourced from authlib's changelog.

Version 1.6.9

Released on Mar 2, 2026

  • Not using header's jwk automatically.
  • Add ES256K into default jwt algorithms.
  • Remove deprecated algorithm from default registry.
  • Generate random cek when cek length doesn't match.
Commits
  • 9266eaa chore: release 1.6.9
  • b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
  • 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
  • 5be3c51 fix(jose): add ES256K into default jwt algorithms
  • 48b345f fix(jose): remove deprecated algorithm from default registry
  • a5d4b2d fix(jose): do not use header's jwk automatically
  • See full diff in compare view

Updates ecdsa from 0.19.1 to 0.19.2

Release notes

Sourced from ecdsa's releases.

0.19.2

Bug fixes:

  • Fix CVE-2026-33936, a DER parsing issue in remove_octet_string(), remove_constructed(), and remove_implitic() where a truncated buffer wasn't detected. This can lead to high level functions, like SigningKey.from_der() to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))

Maintenance:

  • Update CI to use newer version of Ubuntu.
Changelog

Sourced from ecdsa's changelog.

  • Release 0.19.2 (26 Mar 2026)

Bug fixes:

  • Fix CVE-2026-33936, a DER parsing issue in remove_octet_string(), remove_constructed(), and remove_implitic() where a truncated buffer wasn't detected. This can lead to high level functions, like SigningKey.from_der() to raise unexpected exceptions. (Mohamed Abdelaal (0xmrma))

Maintenance:

  • Update CI to use newer version of Ubuntu.

  • Release 0.19.1 (13 Mar 2025)

New API:

  • der.remove_implitic and der.encode_implicit for decoding and encoding DER IMPLICIT values with custom tag values and arbitrary classes

Bug fixes:

  • Minor fixes around arithmetic with curves that have non-prime order (useful for experimentation, not practical deployments)
  • Fix arithmetic to work with curves that have (0, 0) on the curve
  • Fix canonicalization of signatures when s is just slightly above half of curve order

Maintenance:

  • Dropped official support for Python 3.5 (again, issues with CI, support for Python 2.6 and Python 2.7 is unchanged)

  • Officialy support Python 3.12 and 3.13 (add them to CI)

  • Removal of few more unnecessary six.b literals (Alexandre Detiste)

  • Fix typos in warning messages

  • Release 0.19.0 (08 Apr 2024)

New API:

  • to_ssh in VerifyingKey and SigningKey, supports Ed25519 keys only (Pablo Mazzini)

New features:

  • Support for twisted Brainpool curves

Doc fix:

  • Fix curve equation in glossary
  • Documentation for signature encoding and signature decoding functions

Maintenance:

  • Dropped official support for 3.3 and 3.4 (because of problems running them in CI, not because it's actually incompatible; support for 2.6 and 2.7 is

... (truncated)

Commits
  • bd66899 Merge commit from fork
  • 9c046ee tests: reject truncated DER lengths
  • acc40fd der: reject truncated lengths in octet/implicit/constructed
  • 55aca78 Merge pull request #363 from gstarovo/ubuntu20-deprecation
  • c4f0df1 chore: change to ubuntu-22 since u-20 is deprecated
  • See full diff in compare view

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

  • Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
  • Fixed OverflowError from oversized BER length field.
  • Fixed DeprecationWarning stacklevel for deprecated attributes.
  • Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

Commits
  • af65c3b Prepare release 0.6.3
  • 5a49bd1 Merge commit from fork
  • 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
  • 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
  • d7cb42d Fix OverflowError from oversized BER length field (#100)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the pip group across 2 directories with 3 updates
2fea787 
Bumps the pip group with 3 updates in the / directory: [authlib](https://github.com/authlib/authlib), [ecdsa](https://github.com/tlsfuzzer/python-ecdsa) and [pyasn1](https://github.com/pyasn1/pyasn1).
Bumps the pip group with 3 updates in the /requirements directory: [authlib](https://github.com/authlib/authlib), [ecdsa](https://github.com/tlsfuzzer/python-ecdsa) and [pyasn1](https://github.com/pyasn1/pyasn1).


Updates `authlib` from 1.6.8 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.8...v1.6.9)

Updates `ecdsa` from 0.19.1 to 0.19.2
- [Release notes](https://github.com/tlsfuzzer/python-ecdsa/releases)
- [Changelog](https://github.com/tlsfuzzer/python-ecdsa/blob/master/NEWS)
- [Commits](tlsfuzzer/python-ecdsa@python-ecdsa-0.19.1...python-ecdsa-0.19.2)

Updates `pyasn1` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3)

Updates `authlib` from 1.6.8 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.8...v1.6.9)

Updates `ecdsa` from 0.19.1 to 0.19.2
- [Release notes](https://github.com/tlsfuzzer/python-ecdsa/releases)
- [Changelog](https://github.com/tlsfuzzer/python-ecdsa/blob/master/NEWS)
- [Commits](tlsfuzzer/python-ecdsa@python-ecdsa-0.19.1...python-ecdsa-0.19.2)

Updates `pyasn1` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ecdsa
  dependency-version: 0.19.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ecdsa
  dependency-version: 0.19.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 26, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 26, 2026 10:38
@inimaz inimaz merged commit ce16f64 into master Mar 26, 2026
5 checks passed
@inimaz inimaz deleted the dependabot/pip/pip-1265058d90 branch March 26, 2026 10:39
SaboniAmine pushed a commit that referenced this pull request Mar 27, 2026
@dependabot @SaboniAmine
build(deps): bump the pip group across 2 directories with 3 updates (#…
7ccc0ac 
…1142)

Bumps the pip group with 3 updates in the / directory: [authlib](https://github.com/authlib/authlib), [ecdsa](https://github.com/tlsfuzzer/python-ecdsa) and [pyasn1](https://github.com/pyasn1/pyasn1).
Bumps the pip group with 3 updates in the /requirements directory: [authlib](https://github.com/authlib/authlib), [ecdsa](https://github.com/tlsfuzzer/python-ecdsa) and [pyasn1](https://github.com/pyasn1/pyasn1).


Updates `authlib` from 1.6.8 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.8...v1.6.9)

Updates `ecdsa` from 0.19.1 to 0.19.2
- [Release notes](https://github.com/tlsfuzzer/python-ecdsa/releases)
- [Changelog](https://github.com/tlsfuzzer/python-ecdsa/blob/master/NEWS)
- [Commits](tlsfuzzer/python-ecdsa@python-ecdsa-0.19.1...python-ecdsa-0.19.2)

Updates `pyasn1` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3)

Updates `authlib` from 1.6.8 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.8...v1.6.9)

Updates `ecdsa` from 0.19.1 to 0.19.2
- [Release notes](https://github.com/tlsfuzzer/python-ecdsa/releases)
- [Changelog](https://github.com/tlsfuzzer/python-ecdsa/blob/master/NEWS)
- [Commits](tlsfuzzer/python-ecdsa@python-ecdsa-0.19.1...python-ecdsa-0.19.2)

Updates `pyasn1` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ecdsa
  dependency-version: 0.19.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ecdsa
  dependency-version: 0.19.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@benoit-cty benoit-cty mentioned this pull request Mar 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@inimaz inimaz inimaz approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inimaz