Why python-jose
is still recommended in the documentation when it is nearly abandoned.
#9587
-
First Check
Commit to Help
Example CodeNo code needs to be provided. DescriptionAccording to this page in the documentation: "But it was updated to use Python-jose instead as it provides all the features from PyJWT plus some extras that you might need later when building integrations with other tools." I don't think this is still relevant because we can't even use it on python >= 3.10 because Operating SystemLinux Operating System DetailsNo response FastAPI Version0.9.5 Python Version3.10 Additional ContextError log:
|
Beta Was this translation helpful? Give feedback.
Replies: 10 comments 6 replies
-
That should be fixed already on their behalf. I think they need to do a release? |
Beta Was this translation helpful? Give feedback.
-
Maybe https://github.com/lepture/authlib would also be an alternative? |
Beta Was this translation helpful? Give feedback.
-
I stumbled across this, because I got an security alert for ecdsa (which is a dependency of After some research I discovered, that my project is not affected, because I use the But it is still not a good experience when the documentation recommends a package which introduces a dependency (even if not used) to my project which has known vulnerabilities and by default relies on cryptographic libraries which are not designed for security! |
Beta Was this translation helpful? Give feedback.
-
I also got an error similar to this, namely because of the ECDSA alert. Implemented a fix equivalent to the below, which fixed the issues for me. igorbenav/FastAPI-boilerplate@4885a46 It would be super easy for us to implement this equivalent in the docs for FastAPI. I'm happy to do it if there is demand from the community? |
Beta Was this translation helpful? Give feedback.
-
Yo @tiangolo, can this issue get a bit of sunlight please? Appreciate that things can get busy but I feel that as a community we should be taking this type of thing seriously. Appreciate all the hard work. |
Beta Was this translation helpful? Give feedback.
-
Hi there We are aware of the situation of python-jose having the last version in 2021 and the security issues about it. We will move forward to try to fix this as soon as possible, update the documentation to use another better library with active development. |
Beta Was this translation helpful? Give feedback.
-
Now CVE-2024-33663 too |
Beta Was this translation helpful? Give feedback.
-
Agreed, this should probably be addressed. |
Beta Was this translation helpful? Give feedback.
-
We decided to move forward with PyJWT instead python-jose, the docs were updated now. |
Beta Was this translation helpful? Give feedback.
-
As per https://jwt.io/libraries?language=Python authlib seems to have more functionality. |
Beta Was this translation helpful? Give feedback.
Hi there
We are aware of the situation of python-jose having the last version in 2021 and the security issues about it. We will move forward to try to fix this as soon as possible, update the documentation to use another better library with active development.