Skip to content

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/openspiel_env#896

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/openspiel_env/joserfc-1.6.7
Closed

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/openspiel_env#896
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/openspiel_env/joserfc-1.6.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.5 to 1.6.7.

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.
Commits
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
  • b89eadf test: normalize P-521 private key fixture
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only change with a patch JWT/JWS library bump; no application code paths are modified, though auth-related transitive deps are lightly touched.

Overview
Updates envs/openspiel_env/uv.lock so joserfc moves from 1.6.5 to 1.6.7 (still pulled in via authlibfastmcp / openenv). The new release adds JWS payload size checks when b64=false and small typing fixes.

The same lock refresh repoints every locked package from the Hugging Face PyPI registry to https://pypi.org/simple and bumps the lock revision to 3; resolved versions and wheel URLs otherwise stay aligned with public PyPI.

Reviewed by Cursor Bugbot for commit c19e814. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.5...1.6.7)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 1, 2026
@burtenshaw burtenshaw added size: small Small pull request environment labels Jul 1, 2026 — with Cursor
@bot-ci-comment

bot-ci-comment Bot commented Jul 1, 2026

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Scope: this PR changes exactly one file — envs/openspiel_env/uv.lock. The stated intent is bumping joserfc 1.6.5 → 1.6.7 (a hash-pinned transitive dep: cryptography-backed JOSE lib, pulled via authlibfastmcp). That part is fine. But Dependabot re-resolved the whole lockfile, producing two side effects reviewed below.

Automated Checks

  • Lint: FAIL — but not attributable to this PR. .claude/hooks/lint.sh flags ~20 unformatted .py files in unrelated envs (chat_env, opencode_env, jupyter_env, terminus_env, repl_env, …). None are in this diff, and this PR contains no Python. Pre-existing drift. (Env note: uv was not present and had to be installed; no repo .venv existed.)
  • Debug code: CLEAN w.r.t. this diff — check-debug.sh lists print/TODO occurrences, but all are pre-existing in src/; none are introduced here.

Open RFCs Context

Active RFCs: 000, 001, 002, 003, 005 (In Review), 010 (Draft), plus 004. None concern dependency management, lockfiles, or package indexes — so none are implicated by a dependency bump.

Tier 1: Fixes Required

None. Artifact integrity is preserved: every sdist/wheel still resolves to files.pythonhosted.org with identical pinned sha256 hashes; only the source.registry metadata string and the lockfile revision (2 → 3, uv format) changed.

Tier 2: Alignment Discussion

Principle Conflicts

ALIGNMENT FLAG: Dependabot silently migrated the package index for all ~120 packages (not just joserfc) from the internal https://pypi.registries.huggingface.tech/ to public https://pypi.org/simple.

  • Principle at stake: "Container isolation for reproducibility and security" (PRINCIPLES.md) — build reproducibility & supply-chain source-of-truth.
  • The concern: 29/35 env lockfiles still pin the internal HF registry; this makes openspiel_env the 6th to move to pypi.org (after calendar_env, finqa_env, julia_env, openapp_env, jupyter_env). Each Dependabot bump migrates one more env, creating a split-brain across environments. If the internal registry is a deliberate vetted mirror, these bumps quietly bypass it; if it was incidental (e.g. a lock authored with UV_INDEX_URL set), then pypi.org is arguably more correct and the other 29 should be aligned too. Either way it deserves an intentional decision — configure Dependabot/uv to resolve against the intended index, or migrate all envs on purpose — rather than silent per-PR drift.
  • Prior art: the sibling PR #893 (finqa_env, identical joserfc bump, the parent commit here) already merged with the same registry switch + revision bump, so maintainers may already accept this. Flagging for consistency confirmation.
  • Suggested reviewers: @burtenshaw (most frequent env-lockfile maintainer, 8 recent commits) and @Darktex (authors the reproducibility/security principles in PRINCIPLES.md / INVARIANTS.md).

RFC Conflicts

None identified.

Summary

  • 0 mechanical issues to fix in this diff
  • 1 alignment point for human review (registry source migration / cross-env lockfile consistency)
  • 0 RFC conflicts
Open in Web View Automation 

Sent by Cursor Automation: Pre-review

version = "1.6.5"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.6.7"
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ALIGNMENT FLAG (Tier 2): index source migrated for the entire lockfile.

This source line changed from the internal https://pypi.registries.huggingface.tech/ to public https://pypi.org/simple — and the same rewrite happened for all ~120 packages in this file, not just joserfc. 29/35 env lockfiles still pin the internal HF registry, so this drifts openspiel_env out of alignment with the majority.

Artifact bytes are unchanged (the sdist/wheel URLs and sha256 hashes below are identical to before), and sibling PR #893 already did the same, so this isn't a blocker — but the silent per-PR index migration is worth an intentional maintainer decision. See the review summary. cc @burtenshaw

@burtenshaw

Copy link
Copy Markdown
Collaborator

Superseded by aggregate maintainer PR #902.

@burtenshaw burtenshaw closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/envs/openspiel_env/joserfc-1.6.7 branch July 2, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant