chore(deps): bump pyjwt from 2.10.1 to 2.13.0#3113
Conversation
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.1 to 2.13.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.10.1...2.13.0) --- updated-dependencies: - dependency-name: pyjwt dependency-version: 2.13.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Beyond the inline finding (which I independently reproduced against the pinned 2.13.0 wheel — InsecureKeyLengthWarning fires on both encode and decode for the 30- and 20-byte demo keys and escalates under filterwarnings = ["error"]), I checked the other 2.13.0 behavioral changes against this repo: no PyJWK/PyJWKClient or b64=false/detached-payload usage anywhere in the SDK, and all remaining HS256 call sites (tests/client/auth/extensions/test_client_credentials.py, the caller-supplied keys in src/mcp/client/auth/extensions/client_credentials.py) use ≥32-byte secrets — so the short demo keys are the only affected sites.
Extended reasoning...
This Dependabot PR bumps pyjwt 2.10.1 → 2.13.0 in uv.lock only. The bump itself is a desirable security release, but I empirically verified with the pinned 2.13.0 wheel that its new InsecureKeyLengthWarning fires for the sub-32-byte demo HS256 secrets in docs_src/identity_assertion/ and examples/stories/identity_assertion/, and the repo's filterwarnings = ["error"] (with no jwt-scoped ignore) escalates it to test failures — so merging as-is breaks tests/docs_src/test_identity_assertion.py and the identity_assertion story tests. The inline comment covers that; my note records the additional 2.13.0 behavior changes I checked and ruled out (PyJWK alg binding, PyJWKClient URI schemes, b64=false strictness, empty-key rejection — none are used or all sites use adequate keys) so a later pass need not re-derive them. Not approving because the finding is CI-breaking and requires a companion change (lengthen the demo secrets or add a scoped filter) before merge.
| name = "pyjwt" | ||
| version = "2.10.1" | ||
| version = "2.13.0" | ||
| source = { registry = "https://pypi.org/simple" } | ||
| sdist = { url = "https://files.pythonhosted.org/packages/e7/46/bd74733ff231675599650d3e47f361794b22ef3e3770998dda30d3b63726/pyjwt-2.10.1.tar.gz", hash = "sha256:3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953", size = 87785, upload-time = "2024-11-28T03:43:29.933Z" } | ||
| dependencies = [ | ||
| { name = "typing-extensions", marker = "python_full_version < '3.11'" }, | ||
| ] | ||
| sdist = { url = "https://files.pythonhosted.org/packages/3b/81/58d0ac84e1ef3a3843791d6954d94c0b33d526c75eeb1efbce9d0a4c4077/pyjwt-2.13.0.tar.gz", hash = "sha256:41571c89ca91598c79e8ef18a2d07367d4810fbbd6f637794879baf1b7703423", size = 107515, upload-time = "2026-05-21T19:54:36.618Z" } | ||
| wheels = [ | ||
| { url = "https://files.pythonhosted.org/packages/61/ad/689f02752eeec26aed679477e80e632ef1b682313be70793d798c1d5fc8f/PyJWT-2.10.1-py3-none-any.whl", hash = "sha256:dcdd193e30abefd5debf142f9adfcdd2b58004e644f25406ffaebd50bd98dacb", size = 22997, upload-time = "2024-11-28T03:43:27.893Z" }, | ||
| { url = "https://files.pythonhosted.org/packages/a3/5e/ecf12fdb62546d64385c158514e9b2b671f7832108ef2ecd2020ce0af2d1/pyjwt-2.13.0-py3-none-any.whl", hash = "sha256:66adcc2aff09b3f1bbd95fc1e1577df8ac8723c978552fd43304c8a290ac5728", size = 31274, upload-time = "2026-05-21T19:54:35.362Z" }, | ||
| ] |
There was a problem hiding this comment.
🔴 pyjwt 2.13.0 adds jwt.warnings.InsecureKeyLengthWarning (a UserWarning subclass) on jwt.encode()/jwt.decode() when an HMAC key is shorter than 32 bytes for HS256 — and this repo's filterwarnings = ["error"] turns it into hard test failures for the sub-32-byte demo secrets in docs_src/identity_assertion/tutorial001.py/tutorial002.py (30-byte key) and examples/stories/identity_assertion/idp.py (20-byte key), breaking tests/docs_src/test_identity_assertion.py and tests/examples/test_stories.py. Lengthen the demo secrets to ≥32 bytes (better docs hygiene anyway) or add a scoped filterwarnings ignore in the same change before merging.
Extended reasoning...
What the bug is
pyjwt 2.13.0 (new since the 2.10.1 this lock file previously pinned) emits jwt.warnings.InsecureKeyLengthWarning — a UserWarning subclass — from both jwt.encode() and jwt.decode() whenever an HMAC key is shorter than the RFC 7518 §3.2 minimum for the hash (32 bytes for HS256). This behavior did not exist in 2.10.1; it was verified empirically against both wheels: 2.10.1 is silent with the same short keys, while 2.13.0 warns.
This repo runs pytest with filterwarnings = ["error"] (pyproject.toml:251-265). The ignore list only covers pywin32 and three MCPDeprecationWarning patterns — nothing scoped to jwt warnings — so the new warning becomes a hard test error.
The code paths that trigger it
Three sites use sub-32-byte HS256 secrets:
docs_src/identity_assertion/tutorial001.py:12—IDP_SIGNING_KEY = "the-enterprise-idp-signing-key"(30 bytes), used byjwt.encode(..., algorithm="HS256")at line 46.docs_src/identity_assertion/tutorial002.py:24— same 30-byte key, used byjwt.decode()at line 55 insideexchange_identity_assertion().examples/stories/identity_assertion/idp.py:17—IDP_SIGNING_KEY = "demo-idp-signing-key"(20 bytes), encoded atidp.py:40and decoded atexamples/stories/identity_assertion/server.py:61.
Tests exercising them:
tests/docs_src/test_identity_assertion.py— e.g. line 81 callstutorial001.idp_issue_id_jag()(30-byte encode → warning → error), and line 83 callsjwt.decode()directly with the same key; every test drivingtutorial002.provider.exchange_identity_assertion()with a valid assertion hits the decode-side warning too.tests/examples/test_stories.py— runs every story'smain()in-process under pytest, so the identity_assertion story's 20-byte encode/decode runs under theerrorfilter.
Why nothing prevents it
No conftest.py, pytestmark, pytest.warns, or catch_warnings suppresses this warning anywhere in the identity-assertion tests or demo code. The tests that do use HS256 with long keys (e.g. tests/client/auth/extensions/test_client_credentials.py uses 'a-string-secret-at-least-256-bits-long', 38 bytes) are unaffected — which conveniently demonstrates the fix.
Step-by-step proof
- Install pyjwt 2.13.0 (the exact wheel pinned by this PR's
uv.lockchange). - Run
python -W error::UserWarning -c "import jwt; jwt.encode({'sub': 'x'}, 'the-enterprise-idp-signing-key', algorithm='HS256')". - Result:
InsecureKeyLengthWarning: The HMAC key is 30 bytes long, which is below the minimum recommended length of 32 bytes for SHA256. See RFC 7518 Section 3.2.raised as an error. The same command against pyjwt 2.10.1 completes silently. - Under pytest,
filterwarnings = ["error"]applies the same escalation, sotests/docs_src/test_identity_assertion.py::test_the_id_jag_is_a_typed_jwt_carrying_the_claims_the_page_listsfails at theidp_issue_id_jag()call, and the identity_assertion entries intests/examples/test_stories.pyfail at theidp.py:40encode. - Four independent verifiers reproduced this against the actual pinned 2.13.0 wheel from PyPI; all confirmed both the encode and decode paths raise.
Impact and fix
The bump itself is a desirable security release (it bundles five security fixes) and should land — but merging this Dependabot PR as-is (it touches only uv.lock) turns CI red across the docs_src and stories test suites. The fix is small: lengthen the two demo secrets to ≥32 bytes (e.g. "the-enterprise-idp-signing-key-0" / "demo-idp-signing-key-padded-out-32b"), which is better example hygiene anyway since users copy tutorial code verbatim and would otherwise see this warning at runtime. Alternatively, add a scoped ignore::jwt.warnings.InsecureKeyLengthWarning entry to filterwarnings in pyproject.toml — though fixing the keys is preferable to silencing a legitimate security warning in demo code.
Bumps pyjwt from 2.10.1 to 2.13.0.
Release notes
Sourced from pyjwt's releases.
... (truncated)
Changelog
Sourced from pyjwt's changelog.
... (truncated)
Commits
7144e45Apply ruff formatd2f4becRestorecast()calls with cross-versiontype: ignoreforprepare_key22f478cRemove redundant casts inRSAAlgorithm.prepare_keyand `ECAlgorithm.prepare...95791b1Bundle security fixes and hardening into 2.13.0dcc27a9[pre-commit.ci] pre-commit autoupdate (#1155)9d08a9a[pre-commit.ci] pre-commit autoupdate (#1146)b87c100Bump codecov/codecov-action from 5 to 6 (#1154)40e3147Migrate development extras to dependency groups (#1152)a4e1a3dAdd typing_extensions dependency for Python < 3.11 (#1151)bd9700cUse PyJWK algorithm when encoding without explicit algorithm (#1148)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.