Skip to content

Upgrade PyJWT to 2.10.0+ #655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aktech merged 1 commit into from
Jan 7, 2026
Merged

Upgrade PyJWT to 2.10.0+ #655

aktech merged 1 commit into from
Jan 7, 2026

Conversation

@Adam-D-Lewis
Copy link
Member

@Adam-D-Lewis Adam-D-Lewis commented Jan 7, 2026

Summary

  • Update PyJWT dependency from <2.10.0 to >=2.10.0
  • Update requires-python from >=3.8 to >=3.9 (PyJWT 2.10.0 dropped Python 3.8 support)
  • Remove Python 3.8 from test matrix
  • Fix JWT token handling to use custom claim instead of sub

Details

PyJWT 2.10.0 added validation that the sub (subject) claim must be a string per RFC 7519. The existing code was storing a dict ({'access_token': ..., 'token_type': 'Bearer'}) in the sub claim, which now fails with InvalidSubjectError: Subject must be a string.

The fix changes from using the reserved sub claim to a custom access_token_data claim, which is not subject to the same validation requirements.

Test plan

  • Unit tests pass
  • Direct JWT encode/decode test passes with PyJWT 2.10.1

@vercel
Copy link

vercel bot commented Jan 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
jhub-apps Ready Ready Preview, Comment Jan 7, 2026 3:12am
jhub-apps-docs Ready Ready Preview, Comment Jan 7, 2026 3:12am

@Adam-D-Lewis
Upgrade PyJWT to 2.10.0+
b7020a8 
- Update PyJWT dependency from <2.10.0 to >=2.10.0
- Update requires-python from >=3.8 to >=3.9 (PyJWT 2.10.0 dropped Python 3.8)
- Remove Python 3.8 from test matrix
- Fix JWT token handling to use custom claim instead of 'sub'

PyJWT 2.10.0 added validation that the 'sub' (subject) claim must be a
string per RFC 7519. The code was storing a dict in the 'sub' claim,
which now fails with InvalidSubjectError. Changed to use a custom
'access_token_data' claim instead.
@Adam-D-Lewis
Copy link
Member Author

Adam-D-Lewis commented Jan 7, 2026
edited
Loading

I'm not sure what's going on with the uv.lock getting so much smaller. Only thing I can think is b/c we remove python 3.9 3.8 support. Still seems a bit surprising.

@Adam-D-Lewis Adam-D-Lewis requested a review from aktech January 7, 2026 03:29
@aktech
Copy link
Member

aktech commented Jan 7, 2026

I'm not sure what's going on with the uv.lock getting so much smaller. Only thing I can think is b/c we remove python 3.9 support. Still seems a bit surprising.

I think you mean removing 3.8 support. This is expected. uv creates a "universal" lock file that resolves dependencies for all supported Python versions. When a package needs different versions for different Python versions, uv includes multiple entries (forks).

By narrowing requires-python from >=3.8 to >=3.9, uv no longer needs to resolve Python 3.8-specific dependencies, eliminating those forks from the lock file

Ref: https://docs.astral.sh/uv/concepts/resolution/

TODO for release notes

  • Python 3.8 support dropped - now requires Python 3.9+
  • PyJWT upgraded to 2.10.0+ - existing sessions invalidated (users must re-authenticate)

@aktech aktech merged commit 44e32ab into main Jan 7, 2026
26 checks passed
@Adam-D-Lewis
Copy link
Member Author

Adam-D-Lewis commented Jan 7, 2026
edited
Loading

Thanks for merging, @aktech. I guess technically I didn't need to bump the PyJWT dependency >=2.10.0. The changes should be compatible with previous versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aktech aktech Awaiting requested review from aktech

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Adam-D-Lewis @aktech