chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/openspiel_env#896
chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/openspiel_env#896dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.5...1.6.7) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Scope: this PR changes exactly one file — envs/openspiel_env/uv.lock. The stated intent is bumping joserfc 1.6.5 → 1.6.7 (a hash-pinned transitive dep: cryptography-backed JOSE lib, pulled via authlib ← fastmcp). That part is fine. But Dependabot re-resolved the whole lockfile, producing two side effects reviewed below.
Automated Checks
- Lint: FAIL — but not attributable to this PR.
.claude/hooks/lint.shflags ~20 unformatted.pyfiles in unrelated envs (chat_env,opencode_env,jupyter_env,terminus_env,repl_env, …). None are in this diff, and this PR contains no Python. Pre-existing drift. (Env note:uvwas not present and had to be installed; no repo.venvexisted.) - Debug code: CLEAN w.r.t. this diff —
check-debug.shlistsprint/TODOoccurrences, but all are pre-existing insrc/; none are introduced here.
Open RFCs Context
Active RFCs: 000, 001, 002, 003, 005 (In Review), 010 (Draft), plus 004. None concern dependency management, lockfiles, or package indexes — so none are implicated by a dependency bump.
Tier 1: Fixes Required
None. Artifact integrity is preserved: every sdist/wheel still resolves to files.pythonhosted.org with identical pinned sha256 hashes; only the source.registry metadata string and the lockfile revision (2 → 3, uv format) changed.
Tier 2: Alignment Discussion
Principle Conflicts
ALIGNMENT FLAG: Dependabot silently migrated the package index for all ~120 packages (not just joserfc) from the internal https://pypi.registries.huggingface.tech/ to public https://pypi.org/simple.
- Principle at stake: "Container isolation for reproducibility and security" (PRINCIPLES.md) — build reproducibility & supply-chain source-of-truth.
- The concern: 29/35 env lockfiles still pin the internal HF registry; this makes
openspiel_envthe 6th to move topypi.org(aftercalendar_env,finqa_env,julia_env,openapp_env,jupyter_env). Each Dependabot bump migrates one more env, creating a split-brain across environments. If the internal registry is a deliberate vetted mirror, these bumps quietly bypass it; if it was incidental (e.g. a lock authored withUV_INDEX_URLset), thenpypi.orgis arguably more correct and the other 29 should be aligned too. Either way it deserves an intentional decision — configure Dependabot/uv to resolve against the intended index, or migrate all envs on purpose — rather than silent per-PR drift. - Prior art: the sibling PR #893 (
finqa_env, identicaljoserfcbump, the parent commit here) already merged with the same registry switch +revisionbump, so maintainers may already accept this. Flagging for consistency confirmation. - Suggested reviewers: @burtenshaw (most frequent env-lockfile maintainer, 8 recent commits) and @Darktex (authors the reproducibility/security principles in PRINCIPLES.md / INVARIANTS.md).
RFC Conflicts
None identified.
Summary
- 0 mechanical issues to fix in this diff
- 1 alignment point for human review (registry source migration / cross-env lockfile consistency)
- 0 RFC conflicts
Sent by Cursor Automation: Pre-review
| version = "1.6.5" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.6.7" | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
ALIGNMENT FLAG (Tier 2): index source migrated for the entire lockfile.
This source line changed from the internal https://pypi.registries.huggingface.tech/ to public https://pypi.org/simple — and the same rewrite happened for all ~120 packages in this file, not just joserfc. 29/35 env lockfiles still pin the internal HF registry, so this drifts openspiel_env out of alignment with the majority.
Artifact bytes are unchanged (the sdist/wheel URLs and sha256 hashes below are identical to before), and sibling PR #893 already did the same, so this isn't a blocker — but the silent per-PR index migration is worth an intentional maintainer decision. See the review summary. cc @burtenshaw
|
Superseded by aggregate maintainer PR #902. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps joserfc from 1.6.5 to 1.6.7.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseb6554ccMerge pull request #96 from sebasxsala/fix-p512-fixtureb89eadftest: normalize P-521 private key fixtureDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Lockfile-only change with a patch JWT/JWS library bump; no application code paths are modified, though auth-related transitive deps are lightly touched.
Overview
Updates
envs/openspiel_env/uv.locksojoserfcmoves from 1.6.5 to 1.6.7 (still pulled in via authlib → fastmcp / openenv). The new release adds JWS payload size checks whenb64=falseand small typing fixes.The same lock refresh repoints every locked package from the Hugging Face PyPI registry to
https://pypi.org/simpleand bumps the lock revision to 3; resolved versions and wheel URLs otherwise stay aligned with public PyPI.Reviewed by Cursor Bugbot for commit c19e814. Bugbot is set up for automated code reviews on this repo. Configure here.