fix(deps): bump PyJWT to 2.13.0 for GHSA-xgmm-8j9v-c9wx (#17997)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: david-leifker

docker/snippets/ingestion/constraints.txt

@@ -10,8 +10,8 @@ jaraco.context>=6.1.0,<7
 idna>=3.15,<4.0.0
 # urllib3: CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 fixed in >=2.6.3.
 # Not pinned here: acryl-great-expectations (via acryl-datahub[snowflake]) requires urllib3<1.27.
-# PyJWT: CVE-2026-32597
-PyJWT>=2.12.0
+# PyJWT: GHSA-xgmm-8j9v-c9wx (JWK-as-HMAC confusion); fixed in >=2.13.0
+PyJWT>=2.13.0
 # pyOpenSSL: CVE-2026-27459
 pyopenssl>=26.0.0
 # pyasn1: CVE-2026-30922

metadata-ingestion/constraints.txt

@@ -1230,7 +1230,7 @@ pyiceberg==0.11.1
     # via acryl-datahub
 pyiceberg-core==0.6.0
     # via pyiceberg
-pyjwt==2.11.0
+pyjwt==2.13.0
     # via
     #   feast
     #   msal
@@ -1868,6 +1868,7 @@ typing-extensions==4.15.0
     #   pydantic
     #   pydantic-core
     #   pydash
+    #   pyjwt
     #   pyopenssl
     #   pypdf
     #   pytest-asyncio

metadata-ingestion/pyproject.toml

@@ -2195,6 +2195,10 @@ constraint-dependencies = [
     # Not in setup.py: Airflow constraints pin idna to older versions (e.g. 3.4, 3.10).
     # Enforced for Docker via docker/snippets/ingestion/constraints.txt.
     "idna>=3.15,<4.0.0",
+    # GHSA-xgmm-8j9v-c9wx: reject JWK JSON as HMAC secret; fixed in PyJWT 2.13.0.
+    # Not in setup.py: Airflow constraints pin PyJWT to older versions (e.g. 2.10.1, 2.12.1).
+    # Enforced for Docker via docker/snippets/ingestion/constraints.txt.
+    "PyJWT>=2.13.0,<3.0.0",
 ]
 
 [tool.ruff]