From e69135852ec2947d0545a5570baaed1dec659f59 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 26 May 2026 18:11:36 +0000 Subject: [PATCH] SK-2851: Loosen PyJWT, python-dotenv, urllib3 dependency pins Widen three transitive pins that were forcing customers onto outdated versions and blocking them from picking up upstream security fixes (notably CVE-2026-32597 in PyJWT < 2.12.0): PyJWT ~=2.9.0 -> >= 2.9, < 3 python-dotenv ~=1.0.1 -> >= 1.0, < 2 urllib3 >= 1.25.3, < 2.1 -> >= 1.25.3, < 3 Also harmonizes the urllib3 range between setup.py and requirements.txt (previously diverged at <=2.6.3 vs <2.1.0). Verified the test suite passes against the latest of each dep (PyJWT 2.13.0, python-dotenv 1.2.2, urllib3 2.7.0). https://claude.ai/code/session_01KSRSfYXWLyJHWjTAKmAXNo --- requirements.txt | 6 +++--- setup.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements.txt b/requirements.txt index 687bfb9b..b0e96062 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,12 +1,12 @@ python_dateutil >= 2.5.3 setuptools >= 21.0.0 -urllib3 >= 1.25.3, < 2.1.0 +urllib3 >= 1.25.3, < 3 pydantic >= 2 typing-extensions >= 4.7.1 DateTime~=5.5 -PyJWT~=2.9.0 +PyJWT >= 2.9, < 3 requests~=2.32.3 coverage cryptography -python-dotenv~=1.0.1 +python-dotenv >= 1.0, < 2 httpx \ No newline at end of file diff --git a/setup.py b/setup.py index a761dfc2..e667d729 100644 --- a/setup.py +++ b/setup.py @@ -26,15 +26,15 @@ install_requires=[ 'python_dateutil >= 2.5.3', 'setuptools >= 75.3.3', - 'urllib3 >= 1.25.3, <= 2.6.3', + 'urllib3 >= 1.25.3, < 3', 'pydantic >= 2', 'typing-extensions >= 4.7.1', 'DateTime~=5.5', - 'PyJWT~=2.9.0', + 'PyJWT >= 2.9, < 3', 'requests~=2.32.3', 'coverage', 'cryptography', - 'python-dotenv~=1.0.1', + 'python-dotenv >= 1.0, < 2', 'httpx' ], extras_require={