Bump python-jose from 3.3.0 to 3.5.0 in /backend
Open
Number: #19
Type: Pull Request
State: Open
Type: Pull Request
State: Open
Author:
![dependabot[bot]](https://github.com/dependabot.png)
dependabot[bot]
Association: None
Comments: 0
dependabot[bot]Association: None
Comments: 0
Created:
August 12, 2025 at 06:45 AM UTC
(about 1 month ago)
(about 1 month ago)
Updated:
August 12, 2025 at 06:45 AM UTC
(about 1 month ago)
(about 1 month ago)
Labels:
dependencies python
dependencies python
Description:
Bumps python-jose from 3.3.0 to 3.5.0.
Release notes
Sourced from python-jose's releases.
3.5.0
- Remove support for Python 3.8
- Added support for Python 3.12 & 3.13
- Upgrade to pyasn1 0.5.1+
- Upgrade to pytest and other dependencies
- Add RTD config file to silence emailed deprecation warnings
Bug fixes and Improvements
- Remove get_random_bytes from cryptography backend
- Do not use
utc_nowon module level- Remove key data (sensitive information) from JWKError exceptions
- Added possibility to call jwk.construct() with a private RSA key
https://pypi.org/project/python-jose/3.5.0/
3.4.0
News
- Remove support for Python 3.6 and 3.7
- Added support for Python 3.10 and 3.11
Bug fixes and Improvements
- Updating
CryptographyAESKey::encryptto generate 96 bit IVs for GCM block cipher mode- Fix for PEM key comparisons caused by line lengths and new lines
- Fix for CVE-2024-33664 - JWE limited to 250KiB
- Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
- Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)
Housekeeping
- Updated Github Actions Workflows
- Updated to use tox 4.x
- Revise codecov integration
- Fixed DeprecationWarnings
Changelog
Sourced from python-jose's changelog.
3.5.0 -- 2025-05-28
News
- Remove support for Python 3.8
- Added support for Python 3.12 & 3.13
- Upgrade to pyasn1 0.5.1+
- Upgrade to pytest and other dependencies
- Add RTD config file to silence emailed deprecation warnings
Bug fixes and Improvements
- Remove get_random_bytes from cryptography backend
- Do not use
utc_nowon module level- Remove key data (sensitive information) from JWKError exceptions
- Added possibility to call jwk.construct() with a private RSA key
3.4.0 -- 2025-02-14
News
- Remove support for Python 3.6 and 3.7
- Added support for Python 3.10 and 3.11
Bug fixes and Improvements
- Updating
CryptographyAESKey::encryptto generate 96 bit IVs for GCM block cipher mode- Fix for PEM key comparisons caused by line lengths and new lines
- Fix for CVE-2024-33664 - JWE limited to 250KiB
- Fix for CVE-2024-33663 - signing JWT with public key is now forbidden
- Replace usage of deprecated datetime.utcnow() with datetime.now(UTC)
Housekeeping
- Updated Github Actions Workflows
- Updated to use tox 4.x
- Revise codecov integration
- Fixed DeprecationWarnings
Commits
018b310Prepare release 3.5.0 (#388)393c374Improve jwt.decode key doc (#198)50d4390utils.py: fix types in docstrings for base64url_encode/decode (#269)8fd0b63Add RTD config file to silence emailed deprecation warnings (#333)6f03385Added possibility to call jwk.construct() with a private key (#295)2f0aca6Add python_requires arg to setup.cfg (#273)895777eUpdated pyasn version to match latest (#338)45bd124Update jwk.py (#328)1f0ae0adocs: Fix a few typos (#299)ceaac36Do not useutc_nowon module level (#372)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Pull Request Statistics
Commits:
1
1
Files Changed:
2
2
Additions:
+2
+2
Deletions:
-2
-2
Package Dependencies
Security Advisories
Xuxueli xxl-job template injection vulnerability
GHSA-2v42-xp3j-47m4
CVE-2024-3366
LOW
A vulnerability classified as problematic was found in Xuxueli xxl-job version 2.4.0. This vulnerability affects the function `deserialize` of the file `com/xxl/job/core/util/JdkSerializeTool.java`...
python-jose algorithm confusion with OpenSSH ECDSA keys
GHSA-6c5p-j8vq-pqhj
CVE-2024-33663
CRITICAL
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
python-jose denial of service via compressed JWE content
GHSA-cjwg-qfpm-7377
CVE-2024-33664
MODERATE
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JW...
Technical Details
| ID: | 4985467 |
| UUID: | 2737877471 |
| Node ID: | PR_kwDOPcRV386jMLHf |
| Host: | GitHub |
| Repository: | BestAssist/Hotel-Reservation-React-Redux-Sagas-Example---JavaScript-Python- |
| Merge State: | Unknown |