chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /envs/terminus_env#911
chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /envs/terminus_env#911dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.8. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.4...1.6.8) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Two-tier alignment review of the joserfc bump. The intended dependency change is clean, but the regenerated lockfile carries a large, unintended side effect worth a human decision before merge.
Automated Checks
- Lint: PASS (for this diff). The PR touches only
envs/terminus_env/uv.lock(no Python)..claude/hooks/lint.shdoes reportruff formatdiffs, but every flagged file (e.g.envs/opencode_env/*,envs/terminus_env/server/terminus_env_environment.py) is pre-existing and untouched by this PR. - Debug code: CLEAN (for this diff).
check-debug.shlists manyprint(...)/TODOhits, but all are pre-existing insrc/**(docstrings, CLIconsole.print,test_local_docker_provider.py). None are introduced here.
Open RFCs Context
Open RFCs: 000 (In Review), 001 (In Review), 002 (In Review), 003 (In Review), 004 (rubrics), 005 (In Review), 010 (Draft). All concern env/agent abstractions, MCP, rewards/rubrics, harnesses, and world-modeling. None govern dependency management, packaging, or package-index policy → no RFC conflicts.
Tier 1: Fixes Required
- None. Lockfile-only change; all artifacts stay pinned by
sha256, andjoserfc1.6.4 → 1.6.8 is a clean patch bump. No lint/debug/type/import/syntax/credential issues introduced.
Tier 2: Alignment Discussion
Principle Conflicts
No direct violation of PRINCIPLES.md / INVARIANTS.md (those govern API / MCP / reward / client-server / container boundaries, not lockfiles). One repo-consistency + supply-chain concern:
ALIGNMENT FLAG: Dependabot silently flipped the package index for every dependency, not just joserfc
- Principle/RFC at stake: reproducibility / container network policy (INVARIANTS “Container isolation → Network access must be explicitly configured”) + repo dependency-source consistency
- The concern: Despite the title, the diff rewrites the
sourceregistry for all ~130 packages fromhttps://pypi.registries.huggingface.tech/→https://pypi.org/simple, and bumps the lockrevision2 → 3. This is because Dependabot regenerates the lock with its own uv/index (public PyPI) rather than the HF-internal mirror the env locks were built against. Net effect:terminus_envbecomes the only 1 of 26 envs on public PyPI (the other 25 still use the HF mirror), while the rootuv.lockalready uses public PyPI. That split convention should be resolved intentionally, not drifted per-env by a bot. Hashes are pinned so artifact integrity is fine — the risk is index availability/policy if env Docker/CI builds resolve against a locked-down index. - Suggested reviewer: @burtenshaw (owns
.github/dependabot.yml+ the env-dependency roll-up process: #644, #723, #770, #789, #804) and Sergio Paniego / @sergiopaniego (env packaging migration, #882)
PROCESS FLAG: PR runs counter to the Dependabot exclude-paths policy
- The concern: For the
uvecosystem,.github/dependabot.ymlsetsexclude-paths: ["envs/**"](added in #644, “Match Dependabot root-only config”) — env lock updates are meant to be handled manually via roll-ups (#723/#770/#789/#804), not individual Dependabot PRs. Yet this PR updatesenvs/terminus_env/uv.lock. Eitherexclude-pathsisn’t excluding as intended for uv, or this env shouldn’t get standalone Dependabot PRs. Reconciling this prevents the index-flip churn above from recurring on every future env bump. - Suggested reviewer: @burtenshaw
RFC Conflicts
None identified.
Summary
- 0 mechanical (Tier 1) issues — the
joserfc1.6.4 → 1.6.8 bump itself is clean. - 1 alignment point — the repo-wide index-source flip (HF mirror → public PyPI) makes
terminus_envinconsistent with its 25 sibling envs. - 0 RFC conflicts.
- 1 process point — this PR contradicts the
exclude-paths: ["envs/**"]Dependabot policy.
Recommendation: hold merge pending an index-policy decision. Either (a) regenerate the lock against the HF mirror so it matches sibling envs (keeping the joserfc bump), or (b) if standardizing on public PyPI is intended, do it consistently across all envs and update the Dependabot config so future env bumps don’t churn source.
Sent by Cursor Automation: Pre-review
| version = "1.6.4" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.6.8" | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
The joserfc version bump here (1.6.4 → 1.6.8) is fine on its own. The issue is this line: the source for joserfc — and for every other package in this lockfile — was flipped from https://pypi.registries.huggingface.tech/ to https://pypi.org/simple.
That makes terminus_env the only one of 26 envs resolving against public PyPI; all sibling env locks still use the HF mirror. This is a Dependabot artifact (it regenerates the lock with its own uv/index), not an intended part of a joserfc bump. Please decide the canonical index and apply it consistently rather than merging a per-env flip.
| @@ -1,5 +1,5 @@ | |||
| version = 1 | |||
| revision = 2 | |||
| revision = 3 | |||
There was a problem hiding this comment.
revision also jumps 2 → 3 here — a uv lockfile format bump written by a newer uv than the one that generated the other env locks (still on revision 2). Same root cause as the index flip: Dependabot regenerated this file with a different uv toolchain. Worth aligning the uv version used for env locks so bot bumps don’t churn format + source.


Bumps joserfc from 1.6.4 to 1.6.8.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
ea1d9e3chore: release 1.6.886d0091Reject empty oct key material and empty HMAC keys at sign/verify entry1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Touches JWT/crypto dependency versions used by auth/MCP-related packages; low code churn but security-sensitive transitive behavior may change slightly.
Overview
Updates
envs/terminus_env/uv.lockso the resolvedjoserfcpackage moves from 1.6.4 to 1.6.8 (pulled in viaauthlib/ JWT-related stack). Lock revision increments anduvrewrites packagesource.registryentries from the Hugging Face PyPI mirror tohttps://pypi.org/simpleacross the lockfile; artifact hashes for most packages are unchanged aside fromjoserfc.The
joserfcupgrade brings JWS hardening (payload size checks whenb64=false) and rejection of empty oct/HMAC key material in 1.6.6–1.6.8, plus minor typing fixes in 1.6.7. Nopyproject.tomlchanges in this env.Reviewed by Cursor Bugbot for commit bfc4591. Bugbot is set up for automated code reviews on this repo. Configure here.