okta-jwt-verifier-python icon indicating copy to clipboard operation
okta-jwt-verifier-python copied to clipboard
verified publisher icon okta

Allow minor version updates of aiohttp, certifi, requests and urllib3 dependencies

Open dude0001 opened this issue 1 year ago • 3 comments

Upgrading the package from 0.2.4 to 0.2.6 requires downgrading certifi, requests and urllib3 to the versions pinned in 0.2.6. This is a regression introduced in #63.

A change was made to pyproject.toml to allow minor version updates to the aiohttp, certifi, requests and urllib3 dependencies, and poetry.lock was relocked. certifi was updated to latest to restore previous support for the 2004.x major version.

Additionally, some leftover references were removed for the python-jose package that was removed in #60.

dude0001 avatar Aug 02 '24 14:08 dude0001

@bretterer can someone take a look at this?

dude0001 avatar Aug 30 '24 01:08 dude0001

Please can somebody at Okta take a look at this PR.

I'm more than a little shocked that a company such as Okta, that is selling critical identity management software to organisations around the world, is so lax at keeping published packages up to date with regards to security vulnerabilities. It feels to me that these fundamental and pervasive security concerns should go hand-in-glove.

You've whacked one mole (python-jose) but as a result your package now downgrades a number of other common python packages. It simply isn't good enough.

sammort avatar Sep 12 '24 12:09 sammort

#69 should be preferred

dimbleby avatar Sep 17 '24 07:09 dimbleby

#69 has been merged and this PR can be closed @dude0001

sammort avatar Oct 04 '24 10:10 sammort

Closing in favor of #69. Thank you for helping get this address to all those involved!

dude0001 avatar Oct 04 '24 13:10 dude0001