Skip to content

fix(deps): bump PyJWT to 2.13.0 for GHSA-xgmm-8j9v-c9wx#17997

Merged
david-leifker merged 1 commit into
masterfrom
fix/cve-2026-54293-pyjwt-nltk-security
Jun 23, 2026
Merged

fix(deps): bump PyJWT to 2.13.0 for GHSA-xgmm-8j9v-c9wx#17997
david-leifker merged 1 commit into
masterfrom
fix/cve-2026-54293-pyjwt-nltk-security

Conversation

@david-leifker

@david-leifker david-leifker commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Bump PyJWT from 2.11.0 to 2.13.0 to address GHSA-xgmm-8j9v-c9wx / CVE-2026-48526 (JWK JSON accepted as an HMAC secret when mixed asymmetric/HMAC JWT verification is enabled).
  • Add PyJWT>=2.13.0 to framework_common in setup.py and raise the Docker ingestion constraint floor.
  • Regenerate pyproject.toml, uv.lock, and constraints.txt.

Notes

  • GHSA-537c-gmf6-5ccf (cryptography) is already satisfied on master at 48.0.1 — no change in this PR.
  • CVE-2026-54293 (nltk) is intentionally out of scope; patched nltk 3.10.0 is not yet on PyPI.

Test plan

  • ./gradlew :metadata-ingestion:checkLockFile
  • ./gradlew :metadata-ingestion:lintFix
  • Rebuild ingestion / actions images and confirm ABC/Twistlock no longer flags pyjwt < 2.13.0

Made with Cursor

@github-actions github-actions Bot added ingestion PR or Issue related to the ingestion of metadata devops PR or Issue related to DataHub backend & deployment labels Jun 23, 2026
@david-leifker @cursoragent
fix(deps): bump PyJWT to 2.13.0 via constraints for GHSA-xgmm-8j9v-c9wx
74b083b 
Enforce PyJWT>=2.13.0 in uv constraint-dependencies and Docker ingestion
constraints instead of setup.py, avoiding conflicts with Airflow's pinned
PyJWT versions in airflow-plugin CI.

Co-authored-by: Cursor <cursoragent@cursor.com>
@codecov

codecov Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@david-leifker david-leifker force-pushed the fix/cve-2026-54293-pyjwt-nltk-security branch from 56c2ec4 to 74b083b Compare June 23, 2026 00:07
@david-leifker david-leifker enabled auto-merge (squash) June 23, 2026 00:08
@maggiehays maggiehays added the needs-review Label for PRs that need review from a maintainer. label Jun 23, 2026
@datahub-connector-tests

datahub-connector-tests Bot commented Jun 23, 2026

Copy link
Copy Markdown

Connector Tests Results

All connector tests passed for commit 74b083b

View full test logs →

To skip connector tests, add the skip-connector-tests label (org members only).

Autogenerated by the connector-tests CI pipeline.

@david-leifker david-leifker merged commit 4cd811e into master Jun 23, 2026
99 of 102 checks passed
@david-leifker david-leifker deleted the fix/cve-2026-54293-pyjwt-nltk-security branch June 23, 2026 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@treff7es treff7es treff7es approved these changes

Assignees

No one assigned

Labels

devops PR or Issue related to DataHub backend & deployment ingestion PR or Issue related to the ingestion of metadata needs-review Label for PRs that need review from a maintainer.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-leifker @treff7es @maggiehays