mpdavis
Python-RSA dependency library is retired
The Python rsa dependency is no longer maintained.
It is not even used when jose is installed with [pycryptodome] or [cryptography] optionals.
Is there a way to cleanly remove this dependency from python-jose?
Why? It's still in use https://github.com/mpdavis/python-jose/blob/master/jose/backends/rsa_backend.py#L4
upd: better to point on this try block https://github.com/mpdavis/python-jose/blob/master/jose/backends/init.py#L3
Why?
- The last release of
rsalibrary was released in 2022. - The maintainers retired the library in April 2025.
- It is a security risk to continue to depend on a retired and unmaintained cryptography library
- The recommendation is for dependant projects to switch to
cryptographyorpycryptodomelibraries instead.python-josealready has support for these.
The main reason this dependency is affecting my workflow:
There are no wheels available for rsa for python 3.9+, which means installing any libraries that depend on rsa (for example python-jose) will need full build tools and headers available in the installation environment. This is not ideal when building/testing projects in CI/CD pipelines.
It's still in use
Your example in the codebase shows that rsa library is only used when cryptography or pycrypodome are not installed.
My understanding is that most users will be using either cryptography or pycrypodome backends, so the rsa backend is not really often used, but its non-optional, and the codebase is still encumbered by its inclusion.
Fair point! Maybe it's good to at least display a warning message when the fallback import happens? (imao remove should be in major release)