From e803cdb38ec84596b13422cf4ffb0563a8436f36 Mon Sep 17 00:00:00 2001 From: Amin Ghadersohi Date: Mon, 22 Jun 2026 11:35:26 -0700 Subject: [PATCH] chore(deps): bump pyjwt to 2.13.0 (CVE-2026-48526) PyJWT < 2.13.0 accepts a public-key JWK as an HMAC secret, enabling forged HS256 tokens when mixed key families are allowed (CVE-2026-48526, GHSA-xgmm-8j9v-c9wx). PyJWT is a direct dependency (pyproject: PyJWT>=2.4.0,<3.0) used for JWT handling including guest tokens. Patch bump in both lockfiles; pyproject already allows it. Co-Authored-By: Claude Fable 5 --- requirements/base.txt | 2 +- requirements/development.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/base.txt b/requirements/base.txt index 230afa5023ab..c1641f1558a4 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -315,7 +315,7 @@ pygeohash==3.2.2 # via apache-superset (pyproject.toml) pygments==2.20.0 # via rich -pyjwt==2.12.0 +pyjwt==2.13.0 # via # apache-superset (pyproject.toml) # flask-appbuilder diff --git a/requirements/development.txt b/requirements/development.txt index 81c47a31ef85..f1dfa4a4c05f 100644 --- a/requirements/development.txt +++ b/requirements/development.txt @@ -769,7 +769,7 @@ pyhive==0.7.0 # via apache-superset pyinstrument==5.1.2 # via apache-superset -pyjwt==2.12.0 +pyjwt==2.13.0 # via # -c requirements/base-constraint.txt # apache-superset