chore: fix audit issue

neilcampbell · neilcampbell · commit dfde57abb31d · 2025-03-21T11:16:51.000+08:00
diff --git a/.github/workflows/check-python.yaml b/.github/workflows/check-python.yaml
@@ -25,16 +25,10 @@ jobs:
         run: |
           # audit non dev dependencies, no exclusions
           poetry export --without=dev > requirements.txt
-          poetry run pip-audit -r requirements.txt  --ignore-vuln 'GHSA-79v4-65xg-pq4g'
+          poetry run pip-audit -r requirements.txt
           # audit all dependencies, with exclusions.
           # If a vulnerability is found in a dev dependency without an available fix,
-          # it can be temporarily ignored by adding --ignore-vuln e.g.
-          # TODO: decide on `GHSA-79v4-65xg-pq4g`, see https://osv.dev/vulnerability/GHSA-79v4-65xg-pq4g
-          # The vulnerability is not applicable to the cli case, the only abstraciton leveraged is `RSAPublicKey` in 
-          # vendored src/algokit/core/_vendor/auth0/authentication/token_verifier.py that was added to remove dependency
-          # on auth0 package that caused many adhoc transitive dependency errors in cli. As a result, consequent cryptography
-          # vulnerabilities need to be a) verified for applicability to cli case and ignored if not applicable or b) fixed by
-          # updating the vendored file to use the latest version of `cryptography` that has the fix.
+          # it can be temporarily ignored by adding --ignore-vuln e.g. poetry run pip-audit -r requirements.txt --ignore-vuln 'GHSA-79v4-65xg-pq4g'
 
       - name: Check formatting with Ruff
         run: |
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -18,11 +18,12 @@ tomli = { version = "^2.0.1", python = "<3.11" }
 python-dotenv = "^1.0.0"
 mslex = "^1.1.0"
 keyring = "25.2.1"
-# pyjwt is locked to version ^2.8.0 because its explicitly
+# pyjwt is locked to version ^2.10.1 because its explicitly
 # vendored from auth0 repo, to reduce depedency on auth0 package that caused many adhoc transitive dependency errors in cli
 # see header in src/algokit/core/_vendor/auth0/authentication/token_verifier.py
-pyjwt = "^2.8.0" 
-cryptography = "^43.0.1" # pyjwt has a weak dependency on cryptography and explicitly requires it in the vendored file, hence the lock
+# this version has been tested to work with the vendored file
+pyjwt = "^2.10.1" 
+cryptography = "^44.0.2" # pyjwt has a weak dependency on cryptography and explicitly requires it in the vendored file, hence the lock
 algokit-utils = "^3.0.0"
 multiformats = "0.3.1"
 multiformats_config = "0.3.1" # pinned this to be in lockstep with multiformats
diff --git a/src/algokit/core/_vendor/auth0/authentication/token_verifier.py b/src/algokit/core/_vendor/auth0/authentication/token_verifier.py
@@ -299,7 +299,7 @@ def verify(
             token (str): The JWT to verify.
             nonce (str, optional): The nonce value sent during authentication.
             max_age (int, optional): The max_age value sent during authentication.
-            organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified
+            organization (str, optional): The expected organization ID (org_id) or organization name (org_name) claim value. This should be specified
             when logging in to an organization.
 
         Returns:
