Skip to content

build(deps): bump the production group across 1 directory with 10 updates#3404

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/backend/production-b2dc3f233b
Open

build(deps): bump the production group across 1 directory with 10 updates#3404
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/backend/production-b2dc3f233b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Updates the requirements on fastapi, kubernetes, kubernetes-asyncio, pydantic, pyjwt, python-multipart, redis, setuptools, types-pyyaml and uvicorn[standard] to permit the latest version.
Updates fastapi from 0.128.0 to 0.137.1

Release notes

Sourced from fastapi's releases.

0.137.1

Fixes

0.137.0

Breaking Changes

  • ♻️ Refactor internals to preserve APIRouter and APIRoute instances. PR #15745 by @​tiangolo.

Unblocks ✨ SO MANY THINGS ✨

Before this, router.include_router(other_router) would take each path operation from other_router and "clone" it, or recreate it from scratch.

This would mean that in the end there was only one top level router, part of the app.

The way it is structured here is that there are a few additional classes to handle intermediate metadata for router and route inclusion. That way the information of "router X includes Y and Y includes Z" is stored somewhere, without affecting (recreating / clonning) the final route.

Non Objectives

Dependencies for 404: previously I intended to support dependencies that would be executed even for 404, but that would conflict with the fact that a router could not find a match, but the next router did find a match. Executing dependencies in the router that did not find a match would not make sense, they could consume the request, body, etc. This original idea was discarded.

Specific Breaking Changes

Now router.routes is no longer a plain list of APIRoute objects, it can contain these intermediate objects that can contain additional routers, forming a tree.

Any logic that depended on iterating on the router.routes directly would be affected, that logic cannot expect to be able to extract data from a plain list of routes, as it's no longer a plain list but a tree.

Additionally, any logic that iterated on router.routes to modify them would now also see these new objects, and would not see all the routes in the app.

router.routes should be considered an internal implementation detail, only passed around to the FastAPI functions that need it.

Features

  • Adding routes (path operations) after a router is included now works, they are reflected as they are not copied.
  • Including subrouter in mainrouter can be done before adding routes (path operations) to subrouter, because now the the entire object is stored instead of copying the routes.
  • As routes are not copied, in some cases that might save some memory.

Alpha Features

This is not documented yet, so it's not officially supported yet and could change in the future.

But, as APIRoute and APIRouter instances are now preserved, they could be customized.

APIRouter has two new methods, .matches() and .handle(), counterpart to the existing ones in APIRoute. With this a router could customize how it matches and handles requests. For example, it could match only requests that include some specific header, for example for handling versions in headers.

Still, for now, consider this very experimental and potentially changing and breaking in the future.

Future Features Enabled

... (truncated)

Commits

Updates kubernetes from 35.0.0 to 36.0.2

Release notes

Sourced from kubernetes's releases.

Kubernetes Python Client v36.0.2 Stable Release

Getting started:

pip install --pre --upgrade kubernetes

Or from source, download attached zip file, then

unzip client-python-v36.0.2.zip
cd client-python-v36.0.2
python setup-release.py install

Then follow examples in https://github.com/kubernetes-client/python/tree/release-36.0/examples

Changelog: https://github.com/kubernetes-client/python/blob/release-36.0/CHANGELOG.md

Kubernetes Python Client v36.0.1 Stable Release

Getting started:

pip install --pre --upgrade kubernetes

Or from source, download attached zip file, then

unzip client-python-v36.0.1.zip
cd client-python-v36.0.1
python setup-release.py install

Then follow examples in https://github.com/kubernetes-client/python/tree/release-36.0/examples

Changelog: https://github.com/kubernetes-client/python/blob/release-36.0/CHANGELOG.md

Kubernetes Python Client v36.0.0 Beta 1 Release

Getting started:

pip install --pre --upgrade kubernetes

Or from source, download attached zip file, then

unzip client-python-v36.0.0b1.zip
cd client-python-v36.0.0b1
</tr></table>

... (truncated)

Changelog

Sourced from kubernetes's changelog.

v36.0.2

Kubernetes API Version: v1.36.1

Uncategorized

  • Restored backward compatibility for Configuration.auth_settings(): the legacy api_key['authorization'] lookup is honored as a fallback when api_key['BearerToken'] is not set, fixing 401 Unauthorized regressions seen after upgrading to v36.0.0 (#2595). (#2604, @​GK-07)

v36.0.1

Kubernetes API Version: v1.36.1

Bug or Regression

  • Fix load_incluster_config() and load_kube_config() (sync and async, with a static token) so requests carry an Authorization header on kubernetes-client/python v36+. Without this fix, in-cluster pods upgrading to v36 silently send unauthenticated requests and the apiserver rejects them as system:anonymous. (#2585, @​Jmacek)

Deprecation

v36.0.0

Kubernetes API Version: v1.36.1

v36.0.0b1

Kubernetes API Version: v1.36.1

Deprecation

v36.0.0a3

Kubernetes API Version: v1.36.0

v36.0.0a2

Kubernetes API Version: v1.36.0

v36.0.0a1

Kubernetes API Version: v1.36.0

API Change

  • ACTION REQUIRED: DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (beta in v1.36). Schedulers and controllers must be granted update/patch on resourceclaims/binding. DRA drivers must be granted associated-node:update or arbitrary-node:update (or patch equivalents) on resourceclaims/driver, restricted by their specific resourceNames. (kubernetes/kubernetes#134947, @​aojea) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Scheduling and Testing]
  • ACTION REQUIRED: Removed the integrated support for flex-volumes in kubeadm. Users were advised to migrate away from flex-volumes as recommended by SIG Storage since v1.22. If kubeadm users wish to continue using the feature, they need a custom image for the KCM that is not based on distroless, pass the KCM flag --flex-volume-plugin-dir, and mount the directory /usr/libexec/kubernetes/kubelet-plugins/volume/exec in the KCM static pod using kubeadm's extraVolumes mechanism before upgrading to v1.36. Previously, kubeadm automatically did the mounting if the user passed the flag. (kubernetes/kubernetes#136423, @​neolit123) [SIG Cluster Lifecycle]
  • ACTION REQUIRED: Renamed metric etcd_bookmark_counts to etcd_bookmark_total. If you are using custom monitoring dashboards or alerting rules based on the etcd_bookmark_counts metric, update them to use the new etcd_bookmark_total metric. (kubernetes/kubernetes#136483, @​petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
  • Added SchedulingConstraints to express topology-aware scheduling (TAS) constraints for PodGroup scheduling behind the TopologyAwareWorkloadScheduling feature gate. Added the TopologyPlacement plugin implementing the PlacementGenerate extension point to take constraints into consideration during PodGroup scheduling. (kubernetes/kubernetes#137271, @​brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]

... (truncated)

Commits
  • 1f2df03 Merge pull request #2607 from yliaog/automated-release-of-36.0.2-upstream-rel...
  • 348f673 Merge pull request #2605 from yliaog/release-36.0
  • 70e680e Apply hotfix for commit: 5621a4c2cf5cc278e8f45ce759ce44c057f1dbe2
  • 9683d06 generated client change
  • d2cb000 update version constants for 36.0.2 release
  • 17cf4e1 update changelog with release notes from master branch
  • 8be4ce3 added breaking change on V1ServiceSpec fields cluster_i_ps and external_i_ps ...
  • a05fe9e Merge pull request #2599 from yliaog/automated-release-of-36.0.1-upstream-rel...
  • 33827fa updated compatibility matrix and maintenance status
  • 8836c4c generated client change
  • Additional commits viewable in compare view

Updates kubernetes-asyncio from 29.0.0 to 36.1.0

Changelog

Sourced from kubernetes-asyncio's changelog.

v36.1.0

API Change

  • ACTION REQUIRED: DRA (Dynamic Resource Allocation) drivers and controllers now require granular RBAC permissions to update ResourceClaim statuses when the DRAResourceClaimGranularStatusAuthorization feature gate is enabled (beta in v1.36). Schedulers and controllers must be granted update/patch on resourceclaims/binding. DRA drivers must be granted associated-node:update or arbitrary-node:update (or patch equivalents) on resourceclaims/driver, restricted by their specific resourceNames. (#134947, @​aojea) [SIG API Machinery, Apps, Auth, Instrumentation, Node, Scheduling and Testing]
  • ACTION REQUIRED: Removed the integrated support for flex-volumes in kubeadm. Users were advised to migrate away from flex-volumes as recommended by SIG Storage since v1.22. If kubeadm users wish to continue using the feature, they need a custom image for the KCM that is not based on distroless, pass the KCM flag --flex-volume-plugin-dir, and mount the directory /usr/libexec/kubernetes/kubelet-plugins/volume/exec in the KCM static pod using kubeadm's extraVolumes mechanism before upgrading to v1.36. Previously, kubeadm automatically did the mounting if the user passed the flag. (#136423, @​neolit123) [SIG Cluster Lifecycle]
  • ACTION REQUIRED: Renamed metric etcd_bookmark_counts to etcd_bookmark_total. If you are using custom monitoring dashboards or alerting rules based on the etcd_bookmark_counts metric, update them to use the new etcd_bookmark_total metric. (#136483, @​petern48) [SIG API Machinery, Etcd, Instrumentation and Testing]
  • Added SchedulingConstraints to express topology-aware scheduling (TAS) constraints for PodGroup scheduling behind the TopologyAwareWorkloadScheduling feature gate. Added the TopologyPlacement plugin implementing the PlacementGenerate extension point to take constraints into consideration during PodGroup scheduling. (#137271, @​brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
  • Added DisruptionMode, PriorityClassName, and Priority fields to the Workload and PodGroup APIs to support workload-aware preemption when the WorkloadAwarePreemption feature gate is enabled. (#136589, @​tosi3k) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
  • Added ImageVolumeWithDigest which includes the digest of image volumes in the container status. (#132807, @​iholder101) [SIG API Machinery, Apps, Node and Testing]
  • Added MemoryReservationPolicy cgroup v2 MemoryQoS support to KubeletConfiguration for memory.min protection. (#137584, @​QiWang19) [SIG Node and Storage]
  • Added spec.stubPKCS10Request to the Pod Certificates beta API to improve compatibility with existing certificate authority implementations that expect a PKCS#10 certificate signing request. spec.pkixPublicKey and spec.proofOfPossession were deprecated in favor of this field. (#136729, @​ahmedtd) [SIG API Machinery, Auth, Node and Testing]
  • Added a deletion protection mechanism for PodGroup objects. (#137641, @​helayoty) [SIG API Machinery, Apps, Auth, Scheduling and Storage]
  • Added alpha support (behind the PersistentVolumeClaimUnusedSinceTime feature gate) for tracking PersistentVolumeClaim unused status via a new Unused condition on PersistentVolumeClaimStatus. When enabled, the PVC protection controller sets Unused=True with a lastTransitionTime when no non-terminal Pods reference the PersistentVolumeClaim. (#137862, @​gnufied) [SIG Apps, Auth, Storage and Testing]
  • Added alpha support for manifest-based admission control configuration (KEP-5793). When the ManifestBasedAdmissionControlConfig feature gate is enabled, admission webhooks and CEL-based policies can be loaded from static manifest files on disk via the staticManifestsDir field in AdmissionConfiguration. These policies are active from API server startup, survive etcd unavailability, and can protect API-based admission resources from modification. (#137346, @​aramase) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
  • Added an admission plugin that validates PodGroup resources reference an existing Workload and match the declared PodGroupTemplate spec. (#137464, @​helayoty) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
  • Added list-type support for attributes in DRA (KEP-5491). The DRAListTypeAttributes feature gate (disabled by default) activates the following enhancements:
    • DRA drivers can use list-type fields (bools/ints/strings/versions) for device attributes in ResourceSlice. The number of attribute values, including scalars and lists, per single device is limited to 48.
    • The matchAttribute/distinctAttribute constraints in ResourceClaim now work on both scalar and list attributes. The matchAttribute constraint matches when the intersection of all list values among candidate devices is non-empty. The distinctAttribute constraint (behind the ConsumableCapacity feature gate) matches when all list values among candidate devices are pairwise disjoint. Scalar values are implicitly treated as a singleton set.
    • Added a new CEL function .includes that works on both scalar and list attributes to test inclusion (e.g., device.attributes["dra.example.com"].model.includes("model-a")), supporting migration when a DRA driver changes an attribute value type from scalar to list or vice versa. (#137190, @​everpeace) [SIG API Machinery, Node, Scheduling and Testing]
  • Added new concurrent-node-status-updates flag that is split from the concurrent-node-syncs flag. (#136716, @​yonizxz) [SIG Cloud Provider]
  • Added opt-in alpha support in the kubeletplugin framework for DRA drivers to publish DRA Device metadata in Pod CDI mounts. (#137086, @​alaypatel07) [SIG Apps, Network, Node and Testing]
  • Added opt-in scheduling behavior for CSI volumes. (#137343, @​gnufied) [SIG API Machinery, Scheduling and Storage]
  • Added placement-based PodGroup scheduling algorithm to the scheduler. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136944, @​brejman) [SIG Scheduling and Testing]
  • Added stability-based lifecycle for declarative validation (Alpha/Beta/Stable). Scheduling Workload v1alpha1 now uses explicit declarative enforcement. (#136793, @​yongruilin) [SIG API Machinery and Scheduling]
  • Added the PlacementGenerate extension point to the scheduler. It is used to generate placements for placement-based PodGroup scheduling. Its use is guarded by the TopologyAwareWorkloadScheduling feature gate. (#137083, @​brejman) [SIG Scheduling]
  • Added the PlacementScore extension point to the scheduler for scoring placements in placement-based PodGroup scheduling, guarded by the TopologyAwareWorkloadScheduling feature gate. Deprecated MinNodeScore and MaxNodeScore in favor of MinScore and MaxScore. (#137201, @​brejman) [SIG Scheduling]
  • Added the ResourcePoolStatusRequest API (v1alpha1) for querying DRA resource pool availability. External schedulers can discover available devices across pools before submitting workloads. Requires the DRAResourcePoolStatus feature gate (alpha). (#137028, @​nmn3m) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Scheduling, Storage and Testing]
  • Added the --concurrent-resourceclaim-syncs flag to kube-controller-manager to configure ResourceClaim reconcile concurrency. (#134701, @​anson627) [SIG API Machinery, Apps, Node and Testing]
  • Added the --tls-curve-preferences flag for configuring TLS key exchange mechanism. (#137115, @​damdo) [SIG API Machinery, Architecture, CLI, Cloud Provider, Node and Testing]
  • Added the PodGroupPodsCount scheduler plugin to support workload-aware scheduling by prioritizing placements with higher Pod counts within a group. (#137488, @​vshkrabkov) [SIG Scheduling and Testing]
  • Added the tlsServerName field to EgressSelectorConfiguration TLSConfig to allow overriding the server name used for TLS certificate verification. (#136640, @​kennangaibel) [SIG API Machinery, Apps, Auth, Storage and Testing]
  • Added the alpha DRANodeAllocatableResources feature, which introduces a new ResourceSlice.Spec.Devices[*].NodeAllocatableResourceMappings field for DRA drivers to declare how device resources map to node allocatable Kubernetes resources (e.g., cpu, memory).(#136725, @​pravk03) [SIG API Machinery, Apps, Node, Scheduling and Testing]
  • Added topology-aware scheduling (TAS) logic to the PodGroup scheduling cycle behind the TopologyAwareWorkloadScheduling feature gate, supporting scheduling of PodGroups on nodes with matching topology domains. (#137489, @​brejman) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
  • Added validation to prevent negative duration values for imageMinimumGCAge. (#135997, @​ngopalak-redhat) [SIG API Machinery and Node]
  • Changed deprecated sets.String with sets.Set[string] in apiserver admission subsystem. This is a breaking change for consumers of the NewLifecycle function. (#134044, @​mcallzbl) [SIG API Machinery and Auth]
  • Clarified documentation and comments to indicate that the cpuCFSQuotaPeriod kubelet config field requires the CustomCPUCFSQuotaPeriod feature gate when using non-default values. No functional changes introduced. (#133845, @​rbiamru) [SIG Node and Release]
  • Corrected OpenAPI schema union validation for the PodGroupPolicy struct in scheduling.k8s.io/v1alpha1. (#136424, @​JoelSpeed) [SIG API Machinery and Scheduling]
  • DRA DeviceTaintRules: the TimeAdded field of the taint is now automatically updated when changing the effect. (#137167, @​pohly) [SIG API Machinery, Node and Testing]
  • DRA: Added a spec.resourceClaims field to PodGroup resources for referencing ResourceClaims and ResourceClaimTemplates. Claims made by a PodGroup are reserved for the entire PodGroup instead of individual Pods, supporting more than 256 Pods sharing a single ResourceClaim. ResourceClaimTemplates referenced by a PodGroup's claim replicate into a ResourceClaim specific to that PodGroup, shared by all of the group's Pods. (#136989, @​nojnhuh) [SIG API Machinery, Apps, Auth, CLI, Cloud Provider, Etcd, Node, Scheduling and Testing]
  • DRA: Graduated Device Binding Conditions (KEP #5007) to beta, enabled by default in v1.36. (#137795, @​ttsuuubasa) [SIG API Machinery, Node, Scheduling and Testing]
  • DRA: Graduated device taints and tolerations (KEP #5055) to beta. Support for DeviceTaints in ResourceSlices is on by default. Support for DeviceTaintRules depends on enabling resource.k8s.io/v1beta2 and the DeviceTaintRules feature gate. (#137170, @​pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Etcd, Node, Scheduling and Testing]
  • Extended NodeResourcesFit to implement the PlacementScore extension point. The usage of the PlacementScore extension point is guarded by the TopologyAwareWorkloadScheduling feature gate. (#136652, @​brejman) [SIG Scheduling]
  • Fixed fake.NewClientset() to work properly with correct schema. (#131068, @​soltysh) [SIG API Machinery]
  • Fixed a few log calls that did not properly format their parameters. (#137108, @​pohly) [SIG API Machinery, Apps, Auth, Cluster Lifecycle, Network, Node, Scheduling and Testing]

... (truncated)

Commits
  • 7ddbf30 release v36.1.0
  • 7730a33 regenerate client for release 36.1.0 (#425)
  • cb0b819 add server side apply (#418)
  • 0c7ebe7 More descriptive error on DynamicClient not initialized (#422)
  • 3cf2945 chore(deps): update setuptools requirement from >=21.0.0 to >=82.0.1 (#421)
  • 33c014b chore(deps): bump codecov/codecov-action from 5 to 6 (#415)
  • 112d4fe Remove outdated compatibility section from readme (#414)
  • c1a69be Fix: HTTP status check skipped when _preload_content=False in REST client (#402)
  • 4a9303c Declare support for Python 3.14 and run it in CI (#410)
  • 15aae49 [doc] update changelog (#408)
  • Additional commits viewable in compare view

Updates pydantic from 2.12.5 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

Fixes

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

  • Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

Fixes

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

  • Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits
  • cf67d4b Fix linting
  • f0d8a21 Prepare release v2.13.4
  • 5e3fe1d Check for pydantic tag pattern in CI
  • 7f9edcc Document tagging conventions
  • b46a0c9 Adapt pydantic-core linker flags on macOS
  • 50629c8 Update to PyPy 7.3.22
  • 8522ebb Preserve RootModel core metadata
  • a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
  • 909259a Remove Logfire example in documentation
  • 2c4174c Bump libc from 0.2.155 to 0.2.185
  • Additional commits viewable in compare view

Updates pyjwt from 2.8.0 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

  • GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

  • GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

  • GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

  • GHSA-993g-76c3-p5m4PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

  • GHSA-fhv5-28vv-h8m8PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

  • Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
  • Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
  • RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

  • Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

  • Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
  • PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
  • PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
  • b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
  • enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

2.12.1

What's Changed

Full Changelog: jpadilla/pyjwt@2.12.0...2.12.1

2.12.0

Security

... (truncated)

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security


- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.

Fixed



- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed




    

  • Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__
    • 



v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;__
</tr></table>

... (truncated)

Commits
  • 7144e45 Apply ruff format
  • d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
  • 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
  • 95791b1 Bundle security fixes and hardening into 2.13.0
  • dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
  • 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
  • b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
  • 40e3147 Migrate development extras to dependency groups (#1152)
  • a4e1a3d Add typing_extensions dependency for Python < 3.11 (#1151)
  • bd9700c Use PyJWK algorithm when encoding without explicit algorithm (#1148)
  • Additional commits viewable in compare view

Updates python-multipart from 0.0.28 to 0.0.32

Release notes

Sourced from python-multipart's releases.

Version 0.0.32

What's Changed

Full Changelog: Kludex/python-multipart@0.0.31...0.0.32

Version 0.0.31

What's Changed

Full Changelog: Kludex/python-multipart@0.0.30...0.0.31

Version 0.0.30

What's Changed

Full Changelog: Kludex/python-multipart@0.0.29...0.0.30

Version 0.0.29

What's Changed

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.32 (2026-06-04)

  • Speed up partial-boundary scanning for CR/LF-dense part data #300.

0.0.31 (2026-06-04)

  • Speed up multipart header parsing and callback dispatch #295.
  • Bound header field name size before validating #296.
  • Validate Content-Length is non-negative in parse_form #297.

0.0.30 (2026-05-31)

  • Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
  • Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

0.0.29 (2026-05-17)

  • Handle malformed RFC 2231 continuations in parse_options_header #270.
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 18, 2026
This was referenced Jun 18, 2026
Closed
Closed
Closed
Closed
@socket-security

socket-security Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​setuptools@​81.0.0 ⏵ 82.0.17310010010070
Updatedpypi/​kubernetes@​35.0.0 ⏵ 36.0.293 -2100100100100
Updatedpypi/​kubernetes-asyncio@​29.0.0 ⏵ 36.1.097 +1100100100100
Updatedpypi/​uvicorn@​0.46.0 ⏵ 0.49.098 +1100100100100
Updatedpypi/​redis@​7.4.0 ⏵ 8.0.098100100100100
Updatedpypi/​pydantic@​2.12.5 ⏵ 2.13.4100 +1100100100100
Updatedpypi/​python-multipart@​0.0.28 ⏵ 0.0.32100 +1100 +19100100100
Updatedpypi/​fastapi@​0.128.0 ⏵ 0.137.1100 +1100100100100
Updatedpypi/​pyjwt@​2.8.0 ⏵ 2.13.0100 +1100 +25100100100
Updatedpypi/​types-pyyaml@​6.0.12.20260510 ⏵ 6.0.12.20260518100100100100100

View full report

@dependabot dependabot Bot changed the title build(deps): bump the production group in /backend with 10 updates build(deps): bump the production group across 1 directory with 10 updates Jun 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/backend/production-b2dc3f233b branch 2 times, most recently from 9274dff to 10f433c Compare June 22, 2026 20:27
@mistydemeo

mistydemeo commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Looks like the errors here come from kubernetes-asyncio, which introduced typing to optional params in 35.0.0 (tomplus/kubernetes_asyncio@8cfb2ad) which is incompatible with how we were calling a couple of things.

@dependabot
build(deps): bump the production group across 1 directory with 10 upd…
7e59011 
…ates

Updates the requirements on [fastapi](https://github.com/fastapi/fastapi), [kubernetes](https://github.com/kubernetes-client/python), [kubernetes-asyncio](https://github.com/tomplus/kubernetes_asyncio), [pydantic](https://github.com/pydantic/pydantic), [pyjwt](https://github.com/jpadilla/pyjwt), [python-multipart](https://github.com/Kludex/python-multipart), [redis](https://github.com/redis/redis-py), [setuptools](https://github.com/pypa/setuptools), [types-pyyaml](https://github.com/python/typeshed) and [uvicorn[standard]](https://github.com/Kludex/uvicorn) to permit the latest version.

Updates `fastapi` from 0.128.0 to 0.137.1
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.128.0...0.137.1)

Updates `kubernetes` from 35.0.0 to 36.0.2
- [Release notes](https://github.com/kubernetes-client/python/releases)
- [Changelog](https://github.com/kubernetes-client/python/blob/v36.0.2/CHANGELOG.md)
- [Commits](kubernetes-client/python@v35.0.0...v36.0.2)

Updates `kubernetes-asyncio` from 29.0.0 to 36.1.0
- [Changelog](https://github.com/tomplus/kubernetes_asyncio/blob/main/CHANGELOG.md)
- [Commits](tomplus/kubernetes_asyncio@29.0.0...36.1.0)

Updates `pydantic` from 2.12.5 to 2.13.4
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](pydantic/pydantic@v2.12.5...v2.13.4)

Updates `pyjwt` from 2.8.0 to 2.13.0
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.8.0...2.13.0)

Updates `python-multipart` from 0.0.28 to 0.0.32
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.28...0.0.32)

Updates `redis` from 7.4.0 to 8.0.0
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](redis/redis-py@v7.4.0...v8.0.0)

Updates `setuptools` from 81.0.0 to 82.0.1
- [Release notes](https://github.com/pypa/setuptools/releases)
- [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst)
- [Commits](pypa/setuptools@v81.0.0...v82.0.1)

Updates `types-pyyaml` from 6.0.12.20260510 to 6.0.12.20260518
- [Commits](https://github.com/python/typeshed/commits)

Updates `uvicorn[standard]` to 0.49.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.46.0...0.49.0)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.136.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: kubernetes
  dependency-version: 36.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production
- dependency-name: kubernetes-asyncio
  dependency-version: 36.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: pyjwt
  dependency-version: 2.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production
- dependency-name: python-multipart
  dependency-version: 0.0.32
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production
- dependency-name: redis
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production
- dependency-name: setuptools
  dependency-version: 82.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production
- dependency-name: types-pyyaml
  dependency-version: 6.0.12.20260518
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production
- dependency-name: uvicorn[standard]
  dependency-version: 0.49.0
  dependency-type: direct:production
  dependency-group: production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/backend/production-b2dc3f233b branch from 10f433c to 7e59011 Compare June 23, 2026 23:08
@mistydemeo

mistydemeo commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Double checked and those type errors are bugs in kubernetes-asyncio, not an issue on our end. Filed upstream issues and a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mistydemeo