Upgrade to PyJWT 2.0

[wavenator]

Issue Summary

The title speaks for itself. I think we should migrate to PyJWT 2.0 to comply with being updated all the time.
It is noticeable that the community moves towards dropping Python 2.7 support as it stopped being maintained and is considered deprecated. Upgrading to PyJWT 2.0 will force us to drop Python 2.7 support and I think we should drop it regardless of updating PyJWT.

WDYT?

[thinkingserious]

Hello @wavenator,

Thanks for taking the time to bring this issue to our attention!

While we did have dropping Python 2.7 support on our backlog, we did not consider upgrading to PyJWT 2.0. I consider that to be a separate issue, but related. So I created a separate ticket for the Python 2.7 deprecation, please add your voice to that issue to help elevate the priority.

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

I am modifying the title on this ticket to reflect the change in scope.

With best regards,

Elmer

[hugorodgerbrown]

+1 for this - it's currently preventing us from upgrading dependencies as we have multiple packages that depend on PyJWT, and Twilio is the only one that does not support 2.0. (Main issue being string <> bytestring change in encode/decode functions).

[campbellmc]

+1 same issue. We have other dependencies which require PyJWT >= 2.0.0

[janneronkko]

+1

Dependencies require PyJWT 2.0.0 or newer and we can not update all dependencies anymore due this.

[janneronkko]

Also fixing exact version in setup.py is (at least in my opinion) a bad habit; you are forcing everybody to use that exact version in their deployments.

In requirements.txt fixing dependencies to certain version is fine because (usually) requirements.txt describe your production environment. setup.py (or your project dependencies) on the other hand describe what is required to run. Of course, if your library does not work with PyJWT 2.0, you should tell that in setup.py but use

pyjwt<2.0 instead of pyjwt==1.7.1.

The commit that changed PyJWT requirements: 8bab718

I have, in fact, been using twilio library with PyJWT 2.0 but I'm only sending SMS and I resolved my update issues by requiring an old version of twilio library in my deployment: twilio<6.51.0

[campbellmc]

Also fixing exact version in setup.py is (at least in my opinion) a bad habit; you are forcing everybody to use that exact version in their deployments.

In requirements.txt fixing dependencies to certain version is fine because (usually) requirements.txt describe your production environment. setup.py (or your project dependencies) on the other hand describe what is required to run. Of course, if your library does not work with PyJWT 2.0, you should tell that in setup.py but use

pyjwt<2.0 instead of pyjwt==1.7.1.

The commit that changed PyJWT requirements: 8bab718

I have, in fact, been using twilio library with PyJWT 2.0 but I'm only sending SMS and I resolved my update issues by requiring an old version of twilio library in my deployment: twilio<6.51.0

Yes - completely agree - it's a bad habit. Pinning a version of a dependency is a nuclear option and should be considered to be a breaking change.

[tpberntsen]

+1 as it prevents us from using new features from PyJWT 2.x.

[ghost]

pyjwt>=2.0.0 is needed by social-auth-core while twilio still needs 1.7.1. Any update with @karls pull request?

[hugorodgerbrown]

Just in case this is useful anecdotal client info for internal discussions / prioritisation at Twilio - we are going to suspend our outbound SMS from 1-Mar because of this. It's holding back a bunch of other upgrades.

[karls]

@hoteit working on it. :-) Just pushed a new commit that drops support for 2.7 and 3.0-3.5, fixes tests etc. All tests still pass, which is good. Hoping to get some feedback from folks over at Twilio and move forward as quickly as possible.

[amloren1]

+1

[arun131700]

+1

We have an application that uses the package djangorestframework-simplejwt and needs pyjwt>=2.0.0 for our entire authentication service. We'll also have to use twilio<6.51.0, but we'd really appreciate if this pinned pyjwt dependency issue was resolved so we can keep our twilio dependency up-to-date.

[sarahraines]

+1

Same issue! Another dependency for my app requires PyJWT >=2.0.0, so I can't update to the newest version of Twilio. Thanks @karls and Twilio team for getting started on the fix!

[ebrake]

+1 this is holding us back from using v2 in our project

[sergiosrax]

+1 version 6.55.0 still holding into PyJWT 1.7.1

[Alexander3]

Pipenv is checking conflicts in package versions, so I had to pin twilio = "<6.51.0" 😞
That's why pinning specific version of requirements as a library is antipattern.

[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
There are incompatible versions in the resolved dependencies:
  pyjwt (from djangorestframework-simplejwt==4.6.0->-r /tmp/pipenva0_2tx3mrequirements/pipenv-_0ur3llj-constraints.txt (line 31))
  pyjwt==1.7.1 (from twilio==6.56.0->-r /tmp/pipenva0_2tx3mrequirements/pipenv-_0ur3llj-constraints.txt (line 42))
  pyjwt>=2.0.0 (from social-auth-core==4.1.0->social-auth-app-django==4.0.0->djoser==2.1.0->-r /tmp/pipenva0_2tx3mrequirements/pipenv-_0ur3llj-constraints.txt (line 50))

[rohanahata]

@thinkingserious any updates on this? Really need #560, to go through

[rmaciejczyk]

@thinkingserious it's been a while since this ticket was created and we are still waiting. As other said it's a blocker for many of us since there are several other important packages like social-auth which need PyJWT 2.x. In my projects I needed to temporarily turn sending SMS off and remove Twilio from requirements because of that.

[rohanahata]

Honestly I'm going with MessageBird because of this :(

[felixmeziere]

I really need this too please! My project cannot run without pyjwt 2.0 due to other dependencies that strongly require it

[rnegron]

Just jumping in to mention that we would also really appreciate this fix in order to start implementing A2P DLC campaign registration stuff programmatically using the latest version of this library

[atkawa7]

@thinkingserious

[yanivtoledano]

We've stopped using this library and instead ported over to directly use Twilio's api instead (with Python's Requests library...).

[thinkingserious]

Hello everyone! While we do not have an updated ETA just yet, the work needed to solve this issue has been scoped and is in our backlog for prioritization. Thank you for continuing to add your voice to this issue and for your patience.

[Okeydj]

+1

[farrokh]

+1 Hey we are struggling with the same problem. Please prioritize this task. Best.

[bharling]

This is still blocking us also, currently still stuck on a fork of this library until this is fixed, thanks!

[ndurell]

This is blocking us upgrading another SDK...I'm confused about the prioritization here. Also if anyone knows of a good fork that fixes lmk.

[childish-sambino]

We will be looking to major version roll this library in the coming weeks and drop support for Python <= 3.5 and migrate to PyJWT 2. We've scoped down the changes to just these items which allows us to reduce the timeline to release. Comms will go out to customers using such versions of Python and a recent release of this library to notify them of the breaking change should they choose to upgrade.

[hugorodgerbrown]

Also if anyone knows of a good fork that fixes lmk.

@ndurell - the unofficial fork for people who've been watching this issue is #560 from @karls

[bsandeepan]

Thanks. We recently updated pyJWT to v2 and found out about this. Good thing we only started to Implement Twilio for a service. Looking forward to the new release.

[cadir]

+1

[mmilosevic]

+1

[atkawa7]

+1

[zeloras]

+1

[mujad]

+1

[PavitraKailash]

Hello, I've been blocked with the same issue. I am unable to install twilio because other pyjwt verison 2.1.0 is installed in my env. I even tried installing twilio version 6.51.0 but it still gives me the same resolutionfailure error. I am installing using pipenv install twilio. Can I get some help for the same?

[PavitraKailash]

We've stopped using this library and instead ported over to directly use Twilio's api instead (with Python's Requests library...).

Hey, Just wanted to clarify a doubt. I am new to using twilio. Facing the same issue of pyJWT version. If we use twilio's api with python request library, we still need to install twilio, right? So does the error get resolved with using the request library?

[karls]

@PavitraKailash twilio-python version 6.51.0 is the first version to pin PyJWT to a specific version, which is why you're getting the dependency resolution failure.

If you want to try to install PyJWT >= 2.0 and twilio-python together, you can specify twilio-python version 6.50.1, which only specifies a lower bound for the PyJWT version. However, if you do that, anything to do with AccessTokens in twilio-python will break, because PyJWT 2.0 has backwards-incompatible changes in its API.

If you want to use twilio-python with PyJWT >= 2.0, I have a fork of twilio-python which we use in production, and I think a few others are using it too, which will unblock you until Twilio release a new official version of twilio-python that supports PyJWT >= 2.0. The fork we're using in production is pinned to this commit. Obviously, use it at your own risk.

Alternatively, yes, you can bypass twilio-python and make requests directly to Twilio's API. You'll have to reverse engineer what twilio-python is doing and re-implement it directly using python-requests and PyJWT.

[PavitraKailash]

@PavitraKailash twilio-python version 6.51.0 is the first version to pin PyJWT to a specific version, which is why you're getting the dependency resolution failure.

If you want to try to install PyJWT >= 2.0 and twilio-python together, you can specify twilio-python version 6.50.1, which only specifies a lower bound for the PyJWT version. However, if you do that, anything to do with AccessTokens in twilio-python will break, because PyJWT 2.0 has backwards-incompatible changes in its API.

If you want to use twilio-python with PyJWT >= 2.0, I have a fork of twilio-python which we use in production, and I think a few others are using it too, which will unblock you until Twilio release a new official version of twilio-python that supports PyJWT >= 2.0. The fork we're using in production is pinned to this commit. Obviously, use it at your own risk.

Alternatively, yes, you can bypass twilio-python and make requests directly to Twilio's API. You'll have to reverse engineer what twilio-python is doing and re-implement it directly using python-requests and PyJWT.

@karls Thank You.

[thenerdster]

Any updates on this I am stuck.

[PavitraKailash]

Any updates on this I am stuck.

Hey @thenerdster, I tried installing pinned version of twilio, i.e, 6.50.1 and I could proceed with my work. Though I am still waiting for the twilio release that supports PyJWT>2, for temporary basis I am working with this pinned version.

[rmaciejczyk]

It's ridiculous what they do. They are working on other stuff which is far less important than this update whereas so many people insisting on their library are stuck and waiting for them :( @thinkingserious

[karls]

@rmaciejczyk Calm down. Do you think they are purposefully working on less important things and neglecting this change? Twilio isn't a 2-person startup that doesn't need any coordination. I am sure they are doing the best they can, given their circumstances.

There is a fork that you are free to use if you wish. We're using this commit in production without issues so far.

[rmaciejczyk]

@rmaciejczyk Calm down. Do you think they are purposefully working on less important things and neglecting this change? Twilio isn't a 2-person startup that doesn't need any coordination. I am sure they are doing the best they can, given their circumstances.

There is a fork that you are free to use if you wish. We're using this commit in production without issues so far.

@karls yes, this is actually what I think. I've been working on quite big projects (not in a 2-person startup) and I know how it looks from inside (the budget, available resources etc...). So if it was possible to create a fork and fix it there and this particular ticket was created over half a year ago how is it possible they haven't been able to implement it for 8 months? So what I really think is they focus on other more important (for them) tasks and postpone this one until they get available resources.

Unfortunately I'm not able to use libraries from a fork in an enterprise environment where I work so I've been stuck for half a year and the tech debt is growing.

[JenniferMah]

Hi Folks!
Thank you for your patience on this. On or after September 22 2021, Twilio will release version 7.0.0 of the Twilio Python helper library. This version will officially drop support for Python versions 2.7, 3.4, and 3.5. Twilio Python version 7.0.0 will also include the upgrade to PyJWT 2.0.

[ViktorStiskala]

A little bit ugly, but future-proof version specifier for those who are okay with an older version workaround:

>=6.50.1,<7.1,!=6.51.*,!=6.52.*,!=6.53.*,!=6.54.*,!=6.55.*,!=6.56.*,!=6.57.*,!=6.58.*,!=6.59.*,!=6.60.*,!=6.61.*,!=6.62.*,!=6.63.*

[Danisodu]

Any updates on this?

[cgorshing]

https://pypi.org/project/twilio/7.0.0/

[mmdii]

finally good news thanks.