CVS commit: pkgsrc/textproc/py-JWT

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/textproc/py-JWT
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Sun, 24 May 2026 18:24:13 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Sun May 24 18:24:13 UTC 2026

Modified Files:
        pkgsrc/textproc/py-JWT: Makefile distinfo

Log Message:
py-JWT: update to 2.13.0.

v2.13.0
-------

Security
~~~~~~~~

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.

Fixed
~~~~~

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``"b64"`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed
~~~~~~~

- Migrate the ``dev``, ``docs``, and ``tests`` package extras to dependency groups by @kurtmckee in `#1152 <https://github.com/jpadilla/pyjwt/pull/1152>`__


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 pkgsrc/textproc/py-JWT/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/textproc/py-JWT/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/py-JWT/Makefile
diff -u pkgsrc/textproc/py-JWT/Makefile:1.33 pkgsrc/textproc/py-JWT/Makefile:1.34
--- pkgsrc/textproc/py-JWT/Makefile:1.33        Sat Mar 14 12:50:05 2026
+++ pkgsrc/textproc/py-JWT/Makefile     Sun May 24 18:24:13 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.33 2026/03/14 12:50:05 adam Exp $
+# $NetBSD: Makefile,v 1.34 2026/05/24 18:24:13 wiz Exp $
 
-DISTNAME=      pyjwt-2.12.1
+DISTNAME=      pyjwt-2.13.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME:S/pyjwt/JWT/}
 CATEGORIES=    textproc python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=P/PyJWT/}

Index: pkgsrc/textproc/py-JWT/distinfo
diff -u pkgsrc/textproc/py-JWT/distinfo:1.27 pkgsrc/textproc/py-JWT/distinfo:1.28
--- pkgsrc/textproc/py-JWT/distinfo:1.27        Sat Mar 14 12:50:05 2026
+++ pkgsrc/textproc/py-JWT/distinfo     Sun May 24 18:24:13 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.27 2026/03/14 12:50:05 adam Exp $
+$NetBSD: distinfo,v 1.28 2026/05/24 18:24:13 wiz Exp $
 
-BLAKE2s (pyjwt-2.12.1.tar.gz) = 1391ac0ce6268b183c01161c6679d735f4352d5ed744ce0a80ca50c1495f24f7
-SHA512 (pyjwt-2.12.1.tar.gz) = ad1e925b9aa39017bd83863233b39de06a919daed664d5835e58def47f6fb4435fab057a37a5fa8a7543f691f5fc9f82e6d879ef0ad60960f982a214b305078a
-Size (pyjwt-2.12.1.tar.gz) = 102564 bytes
+BLAKE2s (pyjwt-2.13.0.tar.gz) = 979d948b8ff340fe63e7e79d7597b897907fd181ded03c0b7cf3ae11b48107c3
+SHA512 (pyjwt-2.13.0.tar.gz) = e12fcc5171e48ef74f4384287c05d94367b7add4844066b650abd6c82534e557959f59ffce9bd6d4dc6970b99b7357be5bb652d0546937b3a64dfd329b63b561
+Size (pyjwt-2.13.0.tar.gz) = 107515 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index