Skip to content

chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /envs/terminus_env#911

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/terminus_env/joserfc-1.6.8
Open

chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /envs/terminus_env#911
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/terminus_env/joserfc-1.6.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.4 to 1.6.8.

Release notes

Sourced from joserfc's releases.

1.6.8

  • Reject empty OctKey.

Full Changelog: authlib/joserfc@1.6.7...1.6.8

1.6.7

   🐞 Bug Fixes

    View changes on GitHub

1.6.5

No significant changes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.8

Released on May 27, 2026

  • Reject empty OctKey.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.

1.6.5

Released on May 3, 2026

  • JWS: increase registry's payload max size.
Commits
  • ea1d9e3 chore: release 1.6.8
  • 86d0091 Reject empty oct key material and empty HMAC keys at sign/verify entry
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Touches JWT/crypto dependency versions used by auth/MCP-related packages; low code churn but security-sensitive transitive behavior may change slightly.

Overview
Updates envs/terminus_env/uv.lock so the resolved joserfc package moves from 1.6.4 to 1.6.8 (pulled in via authlib / JWT-related stack). Lock revision increments and uv rewrites package source.registry entries from the Hugging Face PyPI mirror to https://pypi.org/simple across the lockfile; artifact hashes for most packages are unchanged aside from joserfc.

The joserfc upgrade brings JWS hardening (payload size checks when b64=false) and rejection of empty oct/HMAC key material in 1.6.6–1.6.8, plus minor typing fixes in 1.6.7. No pyproject.toml changes in this env.

Reviewed by Cursor Bugbot for commit bfc4591. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.8.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.4...1.6.8)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.8
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 3, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 3, 2026 — with Cursor
@bot-ci-comment

bot-ci-comment Bot commented Jul 3, 2026

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Two-tier alignment review of the joserfc bump. The intended dependency change is clean, but the regenerated lockfile carries a large, unintended side effect worth a human decision before merge.

Automated Checks

  • Lint: PASS (for this diff). The PR touches only envs/terminus_env/uv.lock (no Python). .claude/hooks/lint.sh does report ruff format diffs, but every flagged file (e.g. envs/opencode_env/*, envs/terminus_env/server/terminus_env_environment.py) is pre-existing and untouched by this PR.
  • Debug code: CLEAN (for this diff). check-debug.sh lists many print(...)/TODO hits, but all are pre-existing in src/** (docstrings, CLI console.print, test_local_docker_provider.py). None are introduced here.

Open RFCs Context

Open RFCs: 000 (In Review), 001 (In Review), 002 (In Review), 003 (In Review), 004 (rubrics), 005 (In Review), 010 (Draft). All concern env/agent abstractions, MCP, rewards/rubrics, harnesses, and world-modeling. None govern dependency management, packaging, or package-index policy → no RFC conflicts.

Tier 1: Fixes Required

  • None. Lockfile-only change; all artifacts stay pinned by sha256, and joserfc 1.6.4 → 1.6.8 is a clean patch bump. No lint/debug/type/import/syntax/credential issues introduced.

Tier 2: Alignment Discussion

Principle Conflicts

No direct violation of PRINCIPLES.md / INVARIANTS.md (those govern API / MCP / reward / client-server / container boundaries, not lockfiles). One repo-consistency + supply-chain concern:

ALIGNMENT FLAG: Dependabot silently flipped the package index for every dependency, not just joserfc

  • Principle/RFC at stake: reproducibility / container network policy (INVARIANTS “Container isolation → Network access must be explicitly configured”) + repo dependency-source consistency
  • The concern: Despite the title, the diff rewrites the source registry for all ~130 packages from https://pypi.registries.huggingface.tech/https://pypi.org/simple, and bumps the lock revision 2 → 3. This is because Dependabot regenerates the lock with its own uv/index (public PyPI) rather than the HF-internal mirror the env locks were built against. Net effect: terminus_env becomes the only 1 of 26 envs on public PyPI (the other 25 still use the HF mirror), while the root uv.lock already uses public PyPI. That split convention should be resolved intentionally, not drifted per-env by a bot. Hashes are pinned so artifact integrity is fine — the risk is index availability/policy if env Docker/CI builds resolve against a locked-down index.
  • Suggested reviewer: @burtenshaw (owns .github/dependabot.yml + the env-dependency roll-up process: #644, #723, #770, #789, #804) and Sergio Paniego / @sergiopaniego (env packaging migration, #882)

PROCESS FLAG: PR runs counter to the Dependabot exclude-paths policy

  • The concern: For the uv ecosystem, .github/dependabot.yml sets exclude-paths: ["envs/**"] (added in #644, “Match Dependabot root-only config”) — env lock updates are meant to be handled manually via roll-ups (#723/#770/#789/#804), not individual Dependabot PRs. Yet this PR updates envs/terminus_env/uv.lock. Either exclude-paths isn’t excluding as intended for uv, or this env shouldn’t get standalone Dependabot PRs. Reconciling this prevents the index-flip churn above from recurring on every future env bump.
  • Suggested reviewer: @burtenshaw

RFC Conflicts

None identified.

Summary

  • 0 mechanical (Tier 1) issues — the joserfc 1.6.4 → 1.6.8 bump itself is clean.
  • 1 alignment point — the repo-wide index-source flip (HF mirror → public PyPI) makes terminus_env inconsistent with its 25 sibling envs.
  • 0 RFC conflicts.
  • 1 process point — this PR contradicts the exclude-paths: ["envs/**"] Dependabot policy.

Recommendation: hold merge pending an index-policy decision. Either (a) regenerate the lock against the HF mirror so it matches sibling envs (keeping the joserfc bump), or (b) if standardizing on public PyPI is intended, do it consistently across all envs and update the Dependabot config so future env bumps don’t churn source.

Open in Web View Automation 

Sent by Cursor Automation: Pre-review

Comment thread envs/terminus_env/uv.lock
version = "1.6.4"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.6.8"
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The joserfc version bump here (1.6.4 → 1.6.8) is fine on its own. The issue is this line: the source for joserfc — and for every other package in this lockfile — was flipped from https://pypi.registries.huggingface.tech/ to https://pypi.org/simple.

That makes terminus_env the only one of 26 envs resolving against public PyPI; all sibling env locks still use the HF mirror. This is a Dependabot artifact (it regenerates the lock with its own uv/index), not an intended part of a joserfc bump. Please decide the canonical index and apply it consistently rather than merging a per-env flip.

Comment thread envs/terminus_env/uv.lock
@@ -1,5 +1,5 @@
version = 1
revision = 2
revision = 3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revision also jumps 2 → 3 here — a uv lockfile format bump written by a newer uv than the one that generated the other env locks (still on revision 2). Same root cause as the index flip: Dependabot regenerated this file with a different uv toolchain. Worth aligning the uv version used for env locks so bot bumps don’t churn format + source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant