Upgrade PyJWT to >=2.4 (CVE-2022-29217)

wasade · claude · wasade · commit 7ff17118aa84 · 2026-03-18T13:15:26.000-06:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/ci/pip_requirements.txt b/ci/pip_requirements.txt
@@ -1,7 +1,7 @@
 openapi-spec-validator < 0.2.10
 swagger-ui-bundle==0.0.9
 connexion[swagger-ui] < 2.7.1
-pyjwt[crypto] < 2.2.0
+pyjwt[crypto] >= 2.12.0, < 3.0.0
 pytest < 5.3.4
 pytest-cov
 coveralls
diff --git a/microsetta_interface/implementation.py b/microsetta_interface/implementation.py
@@ -779,7 +779,7 @@ def wrapper(**kwargs):
 # Client might not technically care who the user is, but if they do, they
 # get the token, validate it, and pull email out of it.
 def _parse_jwt(token):
-    decoded = jwt.decode(token, PUB_KEY, algorithms=['RS256'], verify=True)
+    decoded = jwt.decode(token, PUB_KEY, algorithms=['RS256'], options={'verify_signature': True})
     email_verified = decoded.get('email_verified', False)
     return decoded["email"], email_verified
 
