Dependency & Security Review: JWT, Database, and Background Worker Concerns #248
Description
Dependency & Security Review – Consolidated Issue
Describe the bug or question
The project currently includes multiple dependency- and security-related concerns that may impact production safety, maintainability, and best practices. Some dependencies have known security vulnerabilities, some are unnecessary, and some are not recommended for production usage.
This issue consolidates all findings into a single report for maintainers to review.
To Reproduce
Install dependencies and review dependency usage and security posture.
from jose import JWTError, jwt
import uuid
import psycopg2Optional reproduction steps:
- Run
pip-auditorsafety check - Inspect
pyproject.tomldependency list - Review JWT encode/decode implementation
Description
1. python-jose – Security (Critical)
Expected behavior:
JWT tokens must always be cryptographically verified and reject unsigned or malformed tokens.
Actual behavior:
The project depends on python-jose, which has reported CVEs that allow:
- Acceptance of JWT tokens with
alg=none(authentication bypass) - Potential denial-of-service via crafted JWE/JWT payloads
This makes JWT-based authentication unsafe for production environments.
2. uuid / uuid6 – Unnecessary external dependency
Expected behavior:
Use Python’s built-in uuid module.
Actual behavior:
External uuid and uuid6 packages are included even though Python already provides uuid, increasing dependency surface without clear benefit.
3. psycopg2-binary – Not recommended for production
Expected behavior:
Production systems should use:
psycopg2(compiled) orasyncpgfor async applications
Actual behavior:
psycopg2-binary is included alongside asyncpg, despite being discouraged for production usage and being redundant in an async stack.
4. SQLAlchemy-Utils – Outdated version
Expected behavior:
Use an actively maintained, up-to-date version.
Actual behavior:
An older version is pinned while newer stable releases are available.
5. Background worker choice (ARQ) – Documentation clarity
Expected behavior:
Clear documentation explaining why ARQ is used and its long-term recommendation.
Actual behavior:
ARQ is in maintenance-only mode. While functional, users would benefit from guidance on:
- Why ARQ was chosen
- Whether migration is recommended in the future
Screenshots
Not applicable (dependency and code-level issue).
Additional context
Suggested improvements (summary)
| Area | Suggestion | Priority |
|---|---|---|
| JWT security | Replace python-jose with PyJWT |
High |
| UUID usage | Remove external uuid / uuid6 |
Medium |
| PostgreSQL | Remove psycopg2-binary if using asyncpg |
Medium |
| SQLAlchemy utils | Update to latest stable version | Medium |
| Background jobs | Document ARQ choice and roadmap | Low |
Why this matters
- Reduces attack surface
- Improves production readiness
- Aligns with Python & FastAPI best practices
- Increases confidence for adopters of this boilerplate