chore(deps): bump pyjwt to 2.13.0 (CVE-2026-48526)

[rusackas]

SUMMARY

Bumps pyjwt from 2.12.0 to 2.13.0 to address CVE-2026-48526 (GHSA-xgmm-8j9v-c9wx): PyJWT < 2.13.0 accepts a public-key JWK as an HMAC secret, allowing forged HS256 tokens when mixed key families are permitted.

PyJWT is a direct dependency (pyproject.toml: PyJWT>=2.4.0, <3.0) and is used for JWT handling, including embedded/guest tokens. The existing constraint already permits 2.13.0, so this is just a lockfile patch bump in requirements/base.txt and requirements/development.txt.

This clears the open Dependabot alerts for pyjwt (#1342 high, plus the medium/low duplicates) which had no Dependabot PR since pyjwt is resolved transitively in the compiled lockfiles.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A, dependency bump.

TESTING INSTRUCTIONS

CI. No code changes; patch-level bump of a backward-compatible release.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #66cdb7

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: e803cdb..e803cdb

  • requirements/base.txt
  • requirements/development.txt
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	e803cdb
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a398093b917fa0008a2e1f8
😎 Deploy Preview	https://deploy-preview-41288--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.33%. Comparing base (27a6525) to head (e803cdb).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41288      +/-   ##
==========================================
- Coverage   64.34%   64.33%   -0.01%     
==========================================
  Files        2653     2653              
  Lines      145015   145025      +10     
  Branches    33459    33461       +2     
==========================================
- Hits        93310    93305       -5     
- Misses      50022    50035      +13     
- Partials     1683     1685       +2     

Flag	Coverage Δ
hive	39.27% <ø> (-0.01%)	⬇️
mysql	58.00% <ø> (-0.01%)	⬇️
postgres	58.07% <ø> (-0.02%)	⬇️
presto	40.86% <ø> (-0.01%)	⬇️
python	59.51% <ø> (-0.02%)	⬇️
sqlite	57.72% <ø> (-0.01%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.