Update dependency PyJWT to v2 by mend-for-github-com[bot] · Pull Request #65 · nexmo-community/click2call

mend-for-github-com · 2026-03-18T06:41:39Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
PyJWT	major	`==1.5.2` → `==2.12.0`

By merging this PR, the issue #51 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2026-32597

Release Notes

jpadilla/pyjwt (PyJWT)

`v2.12.0`

Compare Source

Security

Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @dmbs335 in GHSA-752w-5fwx-jx9f

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1132
chore(docs): fix docs build by @tamird in #1137
Annotate PyJWKSet.keys for pyright by @tamird in #1134
fix: close HTTPError to prevent ResourceWarning on Python 3.14 by @veeceey in #1133
chore: remove superfluous constants by @tamird in #1136
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1135
chore(tests): enable mypy by @tamird in #1138
Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #1142
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1141
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1145
fix: do not store reference to algorithms dict on PyJWK by @akx in #1143
Use PyJWK algorithm when encoding without explicit algorithm by @jpadilla in #1148

New Contributors

@tamird made their first contribution in #1137
@veeceey made their first contribution in #1133

Full Changelog: jpadilla/pyjwt@2.11.0...2.12.0

`v2.11.0`

Compare Source

What's Changed

Fixed type error in comment by @shuhaib-aot in #1026
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1018
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1033
Make note of use of leeway with nbf by @djw8605 in #1034
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1035
Fixes #964: Validate key against allowed types for Algorithm family by @pachewise in #985
Feat #1024: Add iterator for PyJWKSet by @pachewise in #1041
Fixes #1039: Add iss, issuer type checks by @pachewise in #1040
Fixes #660: Improve typing/logic for options in decode, decode_complete; Improve docs by @pachewise in #1045
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1042
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1052
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1053
Fix #1022: Map algorithm=None to "none" by @qqii in #1056
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1055
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1058
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1060
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1061
Fixes #1047: Correct PyJWKClient.get_signing_key_from_jwt annotation by @khvn26 in #1048
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1062
Fixed doc string typo in _validate_jti() function #1063 by @kuldeepkhatke in #1064
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1065
Update SECURITY.md by @auvipy in #1057
Typing fix: use float instead of int for lifespan and timeout by @nikitagashkov in #1068
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1067
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1071
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1076
Fix TYP header documentation by @fobiasmog in #1046
doc: Document claims sub and jti by @cleder in #1088
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1077
Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #1089
Bump actions/stale from 8 to 10 by @dependabot[bot] in #1090
Bump actions/checkout from 4 to 5 by @dependabot[bot] in #1083
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1091
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1093
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #1096
Resolve package build warnings by @kurtmckee in #1105
Support Python 3.14, and test against PyPy 3.10+ by @kurtmckee in #1104
Fix a SyntaxWarning caused by invalid escape sequences by @kurtmckee in #1103
Standardize CHANGELOG links to PRs by @kurtmckee in #1110
Migrate from pep517, which is deprecated, to build by @kurtmckee in #1108
Fix incorrectly-named test suite function by @kurtmckee in #1116
Fix Read the Docs builds by @kurtmckee in #1111
Bump actions/download-artifact from 4 to 6 by @dependabot[bot] in #1118
Escalate test suite warnings to errors by @kurtmckee in #1107
Add pyupgrade as a pre-commit hook by @kurtmckee in #1109
Simplify the test suite decorators by @kurtmckee in #1113
Improve coverage config and eliminate unused test suite code by @kurtmckee in #1115
Build a shared wheel once in the test suite by @kurtmckee in #1114
Bump actions/checkout from 5 to 6 by @dependabot[bot] in #1122
Thoroughly test type annotations, and resolve errors by @kurtmckee in #1112
Fix leeway value in usage documentation by @Matthew1471 in #1124
Bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #1125

New Contributors

@shuhaib-aot made their first contribution in #1026
@qqii made their first contribution in #1056
@khvn26 made their first contribution in #1048
@kuldeepkhatke made their first contribution in #1064
@nikitagashkov made their first contribution in #1068
@fobiasmog made their first contribution in #1046
@Matthew1471 made their first contribution in #1124

Full Changelog: jpadilla/pyjwt@2.10.1...2.11.0

`v2.10.1`

Compare Source

Fixed

Prevent partial matching of iss claim. Thanks @fabianbadoi! (See: GHSA-75c5-xw7c-p5pm)

Full Changelog: jpadilla/pyjwt@2.10.0...2.10.1

`v2.10.0`

Compare Source

What's Changed

chore: use sequence for typing rather than list by @imnotjames in #970
Add support for Python 3.13 by @hugovk in #972
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #971
Add an RTD config file to resolve RTD build failures by @kurtmckee in #977
docs: Update iat exception docs by @pachewise in #974
Remove algorithm requirement for JWT API by @luhn in #975
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #978
Create SECURITY.md by @auvipy in #973
docs fix: decode_complete scope and algorithms by @RbnRncn in #982
fix doctest for docs/usage.rst by @pachewise in #986
fix test_utils.py not to xfail by @pachewise in #987
Correct jwt.decode audience param doc expression by @peter279k in #994
Add PS256 encoding and decoding usage by @peter279k in #992
Add API docs for PyJWK by @luhn in #980
Refactor project configuration files from setup.cfg to pyproject.toml PEP-518 by @cleder in #995
Add JWK support to JWT encode by @luhn in #979
Update pre-commit hooks to lint pyproject.toml by @cleder in #1002
Add EdDSA algorithm encoding/decoding usage by @peter279k in #993
Ruff linter and formatter changes by @gagandeepp in #1001
Validate sub and jti claims for the token by @Divan009 in #1005
Add ES256 usage by @Gautam-Hegde in #1003
Encode EC keys with a fixed bit length by @way-dave in #990
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1000
Drop support for Python 3.8 by @kkirsche in #1007
Prepare 2.10.0 release by @benvdh in #1011
Bump codecov/codecov-action from 4 to 5 by @dependabot in #1014
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1006

New Contributors

@imnotjames made their first contribution in #970
@kurtmckee made their first contribution in #977
@pachewise made their first contribution in #974
@RbnRncn made their first contribution in #982
@peter279k made their first contribution in #994
@cleder made their first contribution in #995
@gagandeepp made their first contribution in #1001
@Divan009 made their first contribution in #1005
@Gautam-Hegde made their first contribution in #1003
@way-dave made their first contribution in #990

Full Changelog: jpadilla/pyjwt@2.9.0...2.10.0

`v2.9.0`

Compare Source

Changed


- Drop support for Python 3.7 (EOL) by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Allow JWT issuer claim validation to accept a list of strings too by @&#8203;mattpollak in `#&#8203;913 <https://github.com/jpadilla/pyjwt/pull/913>`__

Fixed
~~~~~

- Fix unnecessary string concatenation by @&#8203;sirosen in `#&#8203;904 <https://github.com/jpadilla/pyjwt/pull/904>`__
- Fix docs for ``jwt.decode_complete`` to include ``strict_aud`` option by @&#8203;woodruffw in `#&#8203;923 <https://github.com/jpadilla/pyjwt/pull/923>`__
- Fix docs step by @&#8203;jpadilla in `#&#8203;950 <https://github.com/jpadilla/pyjwt/pull/950>`__
- Fix: Remove an unused variable from example code block by @&#8203;kenkoooo in `#&#8203;958 <https://github.com/jpadilla/pyjwt/pull/958>`__

Added
~~~~~

- Add support for Python 3.12 by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Improve performance of ``is_ssh_key`` + add unit test by @&#8203;bdraco in `#&#8203;940 <https://github.com/jpadilla/pyjwt/pull/940>`__
- Allow ``jwt.decode()`` to accept a PyJWK object by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Make ``algorithm_name`` attribute available on PyJWK by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Raise ``InvalidKeyError`` on invalid PEM keys to be compatible with cryptography 42.x.x by @&#8203;CollinEMac in `#&#8203;952 <https://github.com/jpadilla/pyjwt/pull/952>`__
- Raise an exception when required cryptography dependency is missing by @&#8203;tobloef in `<https://github.com/jpadilla/pyjwt/pull/963>`__

`v2.8.0 <https://github.com/jpadilla/pyjwt/compare/2.7.0...2.8.0>`__
-----------------------------------------------------------------------

Changed

Update python version test matrix by @auvipy in #895 <https://github.com/jpadilla/pyjwt/pull/895>__

Fixed


Added

Add strict_aud as an option to jwt.decode by @woodruffw in #902 <https://github.com/jpadilla/pyjwt/pull/902>__
Export PyJWKClientConnectionError class by @daviddavis in #887 <https://github.com/jpadilla/pyjwt/pull/887>__
Allows passing of ssl.SSLContext to PyJWKClient by @juur in #891 <https://github.com/jpadilla/pyjwt/pull/891>__

`v2.8.0`

Compare Source

Changed


- Drop support for Python 3.7 (EOL) by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Allow JWT issuer claim validation to accept a list of strings too by @&#8203;mattpollak in `#&#8203;913 <https://github.com/jpadilla/pyjwt/pull/913>`__

Fixed
~~~~~

- Fix unnecessary string concatenation by @&#8203;sirosen in `#&#8203;904 <https://github.com/jpadilla/pyjwt/pull/904>`__
- Fix docs for ``jwt.decode_complete`` to include ``strict_aud`` option by @&#8203;woodruffw in `#&#8203;923 <https://github.com/jpadilla/pyjwt/pull/923>`__
- Fix docs step by @&#8203;jpadilla in `#&#8203;950 <https://github.com/jpadilla/pyjwt/pull/950>`__
- Fix: Remove an unused variable from example code block by @&#8203;kenkoooo in `#&#8203;958 <https://github.com/jpadilla/pyjwt/pull/958>`__

Added
~~~~~

- Add support for Python 3.12 by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Improve performance of ``is_ssh_key`` + add unit test by @&#8203;bdraco in `#&#8203;940 <https://github.com/jpadilla/pyjwt/pull/940>`__
- Allow ``jwt.decode()`` to accept a PyJWK object by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Make ``algorithm_name`` attribute available on PyJWK by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Raise ``InvalidKeyError`` on invalid PEM keys to be compatible with cryptography 42.x.x by @&#8203;CollinEMac in `#&#8203;952 <https://github.com/jpadilla/pyjwt/pull/952>`__
- Raise an exception when required cryptography dependency is missing by @&#8203;tobloef in `<https://github.com/jpadilla/pyjwt/pull/963>`__

`v2.8.0 <https://github.com/jpadilla/pyjwt/compare/2.7.0...2.8.0>`__
-----------------------------------------------------------------------

Changed

Update python version test matrix by @auvipy in #895 <https://github.com/jpadilla/pyjwt/pull/895>__

Fixed


Added

Add strict_aud as an option to jwt.decode by @woodruffw in #902 <https://github.com/jpadilla/pyjwt/pull/902>__
Export PyJWKClientConnectionError class by @daviddavis in #887 <https://github.com/jpadilla/pyjwt/pull/887>__
Allows passing of ssl.SSLContext to PyJWKClient by @juur in #891 <https://github.com/jpadilla/pyjwt/pull/891>__

`v2.7.0`

Compare Source

Changed


- Changed the error message when the token audience doesn't match the expected audience by @&#8203;irdkwmnsb `#&#8203;809 <https://github.com/jpadilla/pyjwt/pull/809>`__
- Improve error messages when cryptography isn't installed by @&#8203;Viicos in `#&#8203;846 <https://github.com/jpadilla/pyjwt/pull/846>`__
- Make `Algorithm` an abstract base class by @&#8203;Viicos in `#&#8203;845 <https://github.com/jpadilla/pyjwt/pull/845>`__
- ignore invalid keys in a jwks by @&#8203;timw6n in `#&#8203;863 <https://github.com/jpadilla/pyjwt/pull/863>`__

Fixed
~~~~~

- Add classifier for Python 3.11 by @&#8203;eseifert in `#&#8203;818 <https://github.com/jpadilla/pyjwt/pull/818>`__
- Fix ``_validate_iat`` validation by @&#8203;Viicos in `#&#8203;847 <https://github.com/jpadilla/pyjwt/pull/847>`__
- fix: use datetime.datetime.timestamp function to have a milliseconds by @&#8203;daillouf `#&#8203;821 <https://github.com/jpadilla/pyjwt/pull/821>`__
- docs: correct mistake in the changelog about verify param by @&#8203;gbillig in `#&#8203;866 <https://github.com/jpadilla/pyjwt/pull/866>`__

Added
~~~~~

- Add ``compute_hash_digest`` as a method of ``Algorithm`` objects, which uses
  the underlying hash algorithm to compute a digest. If there is no appropriate
  hash algorithm, a ``NotImplementedError`` will be raised in `#&#8203;775 <https://github.com/jpadilla/pyjwt/pull/775>`__
- Add optional ``headers`` argument to ``PyJWKClient``. If provided, the headers
  will be included in requests that the client uses when fetching the JWK set by @&#8203;thundercat1 in `#&#8203;823 <https://github.com/jpadilla/pyjwt/pull/823>`__
- Add PyJWT._{de,en}code_payload hooks by @&#8203;akx in `#&#8203;829 <https://github.com/jpadilla/pyjwt/pull/829>`__
- Add `sort_headers` parameter to `api_jwt.encode` by @&#8203;evroon in `#&#8203;832 <https://github.com/jpadilla/pyjwt/pull/832>`__
- Make mypy configuration stricter and improve typing by @&#8203;akx in `#&#8203;830 <https://github.com/jpadilla/pyjwt/pull/830>`__
- Add more types by @&#8203;Viicos in `#&#8203;843 <https://github.com/jpadilla/pyjwt/pull/843>`__
- Add a timeout for PyJWKClient requests by @&#8203;daviddavis in `#&#8203;875 <https://github.com/jpadilla/pyjwt/pull/875>`__
- Add client connection error exception by @&#8203;daviddavis in `#&#8203;876 <https://github.com/jpadilla/pyjwt/pull/876>`__
- Add complete types to take all allowed keys into account by @&#8203;Viicos in `#&#8203;873 <https://github.com/jpadilla/pyjwt/pull/873>`__
- Add `as_dict` option to `Algorithm.to_jwk` by @&#8203;fluxth in `#&#8203;881 <https://github.com/jpadilla/pyjwt/pull/881>`__

`v2.6.0 <https://github.com/jpadilla/pyjwt/compare/2.5.0...2.6.0>`__
-----------------------------------------------------------------------

Changed

bump up cryptography >= 3.4.0 by @jpadilla in #807 <https://github.com/jpadilla/pyjwt/pull/807>__
Remove types-cryptography from crypto extra by @lautat in #805 <https://github.com/jpadilla/pyjwt/pull/805>__

Fixed


- Invalidate token on the exact second the token expires `#&#8203;797 <https://github.com/jpadilla/pyjwt/pull/797>`__
- fix: version 2.5.0 heading typo by @&#8203;c0state in `#&#8203;803 <https://github.com/jpadilla/pyjwt/pull/803>`__

Added

Adding validation for issued_at when iat > (now + leeway) as ImmatureSignatureError by @sriharan16 in #794 <https://github.com/jpadilla/pyjwt/pull/794>__

`v2.6.0`

Compare Source

Changed


- Changed the error message when the token audience doesn't match the expected audience by @&#8203;irdkwmnsb `#&#8203;809 <https://github.com/jpadilla/pyjwt/pull/809>`__
- Improve error messages when cryptography isn't installed by @&#8203;Viicos in `#&#8203;846 <https://github.com/jpadilla/pyjwt/pull/846>`__
- Make `Algorithm` an abstract base class by @&#8203;Viicos in `#&#8203;845 <https://github.com/jpadilla/pyjwt/pull/845>`__
- ignore invalid keys in a jwks by @&#8203;timw6n in `#&#8203;863 <https://github.com/jpadilla/pyjwt/pull/863>`__

Fixed
~~~~~

- Add classifier for Python 3.11 by @&#8203;eseifert in `#&#8203;818 <https://github.com/jpadilla/pyjwt/pull/818>`__
- Fix ``_validate_iat`` validation by @&#8203;Viicos in `#&#8203;847 <https://github.com/jpadilla/pyjwt/pull/847>`__
- fix: use datetime.datetime.timestamp function to have a milliseconds by @&#8203;daillouf `#&#8203;821 <https://github.com/jpadilla/pyjwt/pull/821>`__
- docs: correct mistake in the changelog about verify param by @&#8203;gbillig in `#&#8203;866 <https://github.com/jpadilla/pyjwt/pull/866>`__

Added
~~~~~

- Add ``compute_hash_digest`` as a method of ``Algorithm`` objects, which uses
  the underlying hash algorithm to compute a digest. If there is no appropriate
  hash algorithm, a ``NotImplementedError`` will be raised in `#&#8203;775 <https://github.com/jpadilla/pyjwt/pull/775>`__
- Add optional ``headers`` argument to ``PyJWKClient``. If provided, the headers
  will be included in requests that the client uses when fetching the JWK set by @&#8203;thundercat1 in `#&#8203;823 <https://github.com/jpadilla/pyjwt/pull/823>`__
- Add PyJWT._{de,en}code_payload hooks by @&#8203;akx in `#&#8203;829 <https://github.com/jpadilla/pyjwt/pull/829>`__
- Add `sort_headers` parameter to `api_jwt.encode` by @&#8203;evroon in `#&#8203;832 <https://github.com/jpadilla/pyjwt/pull/832>`__
- Make mypy configuration stricter and improve typing by @&#8203;akx in `#&#8203;830 <https://github.com/jpadilla/pyjwt/pull/830>`__
- Add more types by @&#8203;Viicos in `#&#8203;843 <https://github.com/jpadilla/pyjwt/pull/843>`__
- Add a timeout for PyJWKClient requests by @&#8203;daviddavis in `#&#8203;875 <https://github.com/jpadilla/pyjwt/pull/875>`__
- Add client connection error exception by @&#8203;daviddavis in `#&#8203;876 <https://github.com/jpadilla/pyjwt/pull/876>`__
- Add complete types to take all allowed keys into account by @&#8203;Viicos in `#&#8203;873 <https://github.com/jpadilla/pyjwt/pull/873>`__
- Add `as_dict` option to `Algorithm.to_jwk` by @&#8203;fluxth in `#&#8203;881 <https://github.com/jpadilla/pyjwt/pull/881>`__

`v2.6.0 <https://github.com/jpadilla/pyjwt/compare/2.5.0...2.6.0>`__
-----------------------------------------------------------------------

Changed

bump up cryptography >= 3.4.0 by @jpadilla in #807 <https://github.com/jpadilla/pyjwt/pull/807>__
Remove types-cryptography from crypto extra by @lautat in #805 <https://github.com/jpadilla/pyjwt/pull/805>__

Fixed


- Invalidate token on the exact second the token expires `#&#8203;797 <https://github.com/jpadilla/pyjwt/pull/797>`__
- fix: version 2.5.0 heading typo by @&#8203;c0state in `#&#8203;803 <https://github.com/jpadilla/pyjwt/pull/803>`__

Added

Adding validation for issued_at when iat > (now + leeway) as ImmatureSignatureError by @sriharan16 in #794 <https://github.com/jpadilla/pyjwt/pull/794>__

`v2.5.0`

Compare Source

Changed


- Skip keys with incompatible alg when loading JWKSet by @&#8203;DaGuich in `#&#8203;762 <https://github.com/jpadilla/pyjwt/pull/762>`__
- Remove support for python3.6 by @&#8203;sirosen in `#&#8203;777 <https://github.com/jpadilla/pyjwt/pull/777>`__
- Emit a deprecation warning for unsupported kwargs by @&#8203;sirosen in `#&#8203;776 <https://github.com/jpadilla/pyjwt/pull/776>`__
- Remove redundant wheel dep from pyproject.toml by @&#8203;mgorny in `#&#8203;765 <https://github.com/jpadilla/pyjwt/pull/765>`__
- Do not fail when an unusable key occurs by @&#8203;DaGuich in `#&#8203;762 <https://github.com/jpadilla/pyjwt/pull/762>`__
- Update audience typing by @&#8203;JulianMaurin in `#&#8203;782 <https://github.com/jpadilla/pyjwt/pull/782>`__
- Improve PyJWKSet error accuracy by @&#8203;JulianMaurin in `#&#8203;786 <https://github.com/jpadilla/pyjwt/pull/786>`__
- Mypy as pre-commit check + api_jws typing by @&#8203;JulianMaurin in `#&#8203;787 <https://github.com/jpadilla/pyjwt/pull/787>`__

Fixed
~~~~~

- Adjust expected exceptions in option merging tests for PyPy3 by @&#8203;mgorny in `#&#8203;763 <https://github.com/jpadilla/pyjwt/pull/763>`__
- Fixes for pyright on strict mode by @&#8203;brandon-leapyear in `#&#8203;747 <https://github.com/jpadilla/pyjwt/pull/747>`__
- docs: fix simple typo, iinstance -> isinstance by @&#8203;timgates42 in `#&#8203;774 <https://github.com/jpadilla/pyjwt/pull/774>`__
- Fix typo: priot -> prior by @&#8203;jdufresne in `#&#8203;780 <https://github.com/jpadilla/pyjwt/pull/780>`__
- Fix for headers disorder issue by @&#8203;kadabusha in `#&#8203;721 <https://github.com/jpadilla/pyjwt/pull/721>`__

Added
~~~~~

- Add to_jwk static method to ECAlgorithm by @&#8203;leonsmith in `#&#8203;732 <https://github.com/jpadilla/pyjwt/pull/732>`__
- Expose get_algorithm_by_name as new method by @&#8203;sirosen in `#&#8203;773 <https://github.com/jpadilla/pyjwt/pull/773>`__
- Add type hints to jwt/help.py and add missing types dependency by @&#8203;kkirsche in `#&#8203;784 <https://github.com/jpadilla/pyjwt/pull/784>`__
- Add cacheing functionality for JWK set by @&#8203;wuhaoyujerry in `#&#8203;781 <https://github.com/jpadilla/pyjwt/pull/781>`__

`v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>`__
-----------------------------------------------------------------------

Security

[CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. GHSA-ffqj-6fqr-9h24

Changed


- Explicit check the key for ECAlgorithm by @&#8203;estin in `#&#8203;713 <https://github.com/jpadilla/pyjwt/pull/713>`__
- Raise DeprecationWarning for jwt.decode(verify=...) by @&#8203;akx in `#&#8203;742 <https://github.com/jpadilla/pyjwt/pull/742>`__

Fixed
~~~~~

- Don't use implicit optionals by @&#8203;rekyungmin in `#&#8203;705 <https://github.com/jpadilla/pyjwt/pull/705>`__
- documentation fix: show correct scope for decode_complete() by @&#8203;sseering in `#&#8203;661 <https://github.com/jpadilla/pyjwt/pull/661>`__
- fix: Update copyright information by @&#8203;kkirsche in `#&#8203;729 <https://github.com/jpadilla/pyjwt/pull/729>`__
- Don't mutate options dictionary in .decode_complete() by @&#8203;akx in `#&#8203;743 <https://github.com/jpadilla/pyjwt/pull/743>`__

Added
~~~~~

- Add support for Python 3.10 by @&#8203;hugovk in `#&#8203;699 <https://github.com/jpadilla/pyjwt/pull/699>`__
- api_jwk: Add PyJWKSet.__getitem__ by @&#8203;woodruffw in `#&#8203;725 <https://github.com/jpadilla/pyjwt/pull/725>`__
- Update usage.rst by @&#8203;guneybilen in `#&#8203;727 <https://github.com/jpadilla/pyjwt/pull/727>`__
- Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @&#8203;dmahr1 in `#&#8203;734 <https://github.com/jpadilla/pyjwt/pull/734>`__
- Fixed typo in usage.rst by @&#8203;israelabraham in `#&#8203;738 <https://github.com/jpadilla/pyjwt/pull/738>`__
- Add detached payload support for JWS encoding and decoding by @&#8203;fviard in `#&#8203;723 <https://github.com/jpadilla/pyjwt/pull/723>`__
- Replace various string interpolations with f-strings by @&#8203;akx in `#&#8203;744 <https://github.com/jpadilla/pyjwt/pull/744>`__
- Update CHANGELOG.rst by @&#8203;hipertracker in `#&#8203;751 <https://github.com/jpadilla/pyjwt/pull/751>`__

`v2.3.0 <https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Revert "Remove arbitrary kwargs." `#&#8203;701 <https://github.com/jpadilla/pyjwt/pull/701>`__

Added
~~~~~

- Add exception chaining `#&#8203;702 <https://github.com/jpadilla/pyjwt/pull/702>`__

`v2.2.0 <https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0>`__
-----------------------------------------------------------------------

Changed

Remove arbitrary kwargs. #657 <https://github.com/jpadilla/pyjwt/pull/657>__
Use timezone package as Python 3.5+ is required. #694 <https://github.com/jpadilla/pyjwt/pull/694>__

Fixed

- Assume JWK without the "use" claim is valid for signing as per RFC7517 `#&#8203;668 <https://github.com/jpadilla/pyjwt/pull/668>`__
- Prefer `headers["alg"]` to `algorithm` in `jwt.encode()`. `#&#8203;673 <https://github.com/jpadilla/pyjwt/pull/673>`__
- Fix aud validation to support {'aud': null} case. `#&#8203;670 <https://github.com/jpadilla/pyjwt/pull/670>`__
- Make `typ` optional in JWT to be compliant with RFC7519. `#&#8203;644 <https://github.com/jpadilla/pyjwt/pull/644>`__
-  Remove upper bound on cryptography version. `#&#8203;693 <https://github.com/jpadilla/pyjwt/pull/693>`__

Added

Add support for Ed448/EdDSA. #675 <https://github.com/jpadilla/pyjwt/pull/675>__

`v2.4.0`

Compare Source

Changed


- Skip keys with incompatible alg when loading JWKSet by @&#8203;DaGuich in `#&#8203;762 <https://github.com/jpadilla/pyjwt/pull/762>`__
- Remove support for python3.6 by @&#8203;sirosen in `#&#8203;777 <https://github.com/jpadilla/pyjwt/pull/777>`__
- Emit a deprecation warning for unsupported kwargs by @&#8203;sirosen in `#&#8203;776 <https://github.com/jpadilla/pyjwt/pull/776>`__
- Remove redundant wheel dep from pyproject.toml by @&#8203;mgorny in `#&#8203;765 <https://github.com/jpadilla/pyjwt/pull/765>`__
- Do not fail when an unusable key occurs by @&#8203;DaGuich in `#&#8203;762 <https://github.com/jpadilla/pyjwt/pull/762>`__
- Update audience typing by @&#8203;JulianMaurin in `#&#8203;782 <https://github.com/jpadilla/pyjwt/pull/782>`__
- Improve PyJWKSet error accuracy by @&#8203;JulianMaurin in `#&#8203;786 <https://github.com/jpadilla/pyjwt/pull/786>`__
- Mypy as pre-commit check + api_jws typing by @&#8203;JulianMaurin in `#&#8203;787 <https://github.com/jpadilla/pyjwt/pull/787>`__

Fixed
~~~~~

- Adjust expected exceptions in option merging tests for PyPy3 by @&#8203;mgorny in `#&#8203;763 <https://github.com/jpadilla/pyjwt/pull/763>`__
- Fixes for pyright on strict mode by @&#8203;brandon-leapyear in `#&#8203;747 <https://github.com/jpadilla/pyjwt/pull/747>`__
- docs: fix simple typo, iinstance -> isinstance by @&#8203;timgates42 in `#&#8203;774 <https://github.com/jpadilla/pyjwt/pull/774>`__
- Fix typo: priot -> prior by @&#8203;jdufresne in `#&#8203;780 <https://github.com/jpadilla/pyjwt/pull/780>`__
- Fix for headers disorder issue by @&#8203;kadabusha in `#&#8203;721 <https://github.com/jpadilla/pyjwt/pull/721>`__

Added
~~~~~

- Add to_jwk static method to ECAlgorithm by @&#8203;leonsmith in `#&#8203;732 <https://github.com/jpadilla/pyjwt/pull/732>`__
- Expose get_algorithm_by_name as new method by @&#8203;sirosen in `#&#8203;773 <https://github.com/jpadilla/pyjwt/pull/773>`__
- Add type hints to jwt/help.py and add missing types dependency by @&#8203;kkirsche in `#&#8203;784 <https://github.com/jpadilla/pyjwt/pull/784>`__
- Add cacheing functionality for JWK set by @&#8203;wuhaoyujerry in `#&#8203;781 <https://github.com/jpadilla/pyjwt/pull/781>`__

`v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>`__
-----------------------------------------------------------------------

Security

[CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. GHSA-ffqj-6fqr-9h24

Changed


- Explicit check the key for ECAlgorithm by @&#8203;estin in `#&#8203;713 <https://github.com/jpadilla/pyjwt/pull/713>`__
- Raise DeprecationWarning for jwt.decode(verify=...) by @&#8203;akx in `#&#8203;742 <https://github.com/jpadilla/pyjwt/pull/742>`__

Fixed
~~~~~

- Don't use implicit optionals by @&#8203;rekyungmin in `#&#8203;705 <https://github.com/jpadilla/pyjwt/pull/705>`__
- documentation fix: show correct scope for decode_complete() by @&#8203;sseering in `#&#8203;661 <https://github.com/jpadilla/pyjwt/pull/661>`__
- fix: Update copyright information by @&#8203;kkirsche in `#&#8203;729 <https://github.com/jpadilla/pyjwt/pull/729>`__
- Don't mutate options dictionary in .decode_complete() by @&#8203;akx in `#&#8203;743 <https://github.com/jpadilla/pyjwt/pull/743>`__

Added
~~~~~

- Add support for Python 3.10 by @&#8203;hugovk in `#&#8203;699 <https://github.com/jpadilla/pyjwt/pull/699>`__
- api_jwk: Add PyJWKSet.__getitem__ by @&#8203;woodruffw in `#&#8203;725 <https://github.com/jpadilla/pyjwt/pull/725>`__
- Update usage.rst by @&#8203;guneybilen in `#&#8203;727 <https://github.com/jpadilla/pyjwt/pull/727>`__
- Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @&#8203;dmahr1 in `#&#8203;734 <https://github.com/jpadilla/pyjwt/pull/734>`__
- Fixed typo in usage.rst by @&#8203;israelabraham in `#&#8203;738 <https://github.com/jpadilla/pyjwt/pull/738>`__
- Add detached payload support for JWS encoding and decoding by @&#8203;fviard in `#&#8203;723 <https://github.com/jpadilla/pyjwt/pull/723>`__
- Replace various string interpolations with f-strings by @&#8203;akx in `#&#8203;744 <https://github.com/jpadilla/pyjwt/pull/744>`__
- Update CHANGELOG.rst by @&#8203;hipertracker in `#&#8203;751 <https://github.com/jpadilla/pyjwt/pull/751>`__

`v2.3.0 <https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0>`__
-----------------------------------------------------------------------

Fixed
~~~~~

- Revert "Remove arbitrary kwargs." `#&#8203;701 <https://github.com/jpadilla/pyjwt/pull/701>`__

Added
~~~~~

- Add exception chaining `#&#8203;702 <https://github.com/jpadilla/pyjwt/pull/702>`__

`v2.2.0 <https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0>`__
-----------------------------------------------------------------------

Changed

Remove arbitrary kwargs. #657 <https://github.com/jpadilla/pyjwt/pull/657>__
Use timezone package as Python 3.5+ is required. #694 <https://github.com/jpadilla/pyjwt/pull/694>__

Fixed

- Assume JWK without the "use" claim is valid for signing as per RFC7517 `#&#8203;668 <https://github.com/jpadilla/pyjwt/pull/668>`__
- Prefer `headers["alg"]` to `algorithm` in `jwt.encode()`. `#&#8203;673 <https://github.com/jpadilla/pyjwt/pull/673>`__
- Fix aud validation to support {'aud': null} case. `#&#8203;670 <https://github.com/jpadilla/pyjwt/pull/670>`__
- Make `typ` optional in JWT to be compliant with RFC7519. `#&#8203;644 <https://github.com/jpadilla/pyjwt/pull/644>`__
-  Remove upper bound on cryptography version. `#&#8203;693 <https://github.com/jpadilla/pyjwt/pull/693>`__

Added

Add support for Ed448/EdDSA. #675 <https://github.com/jpadilla/pyjwt/pull/675>__

`v2.3.0`

Compare Source

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #700
Add exception chaining by @ehdgua01 in #702
Revert "Remove arbitrary kwargs." by @auvipy in #701
Bump up version to v2.3.0 by @jpadilla in #703

New Contributors

@ehdgua01 made their first contribution in #702
@auvipy made their first contribution in #701

Full Changelog: jpadilla/pyjwt@2.2.0...2.3.0

`v2.2.0`

Compare Source

What's Changed

Complete jwt documentation by @johachi in #654
Ignore coverage files generated during test runs by @makusu2 in #617
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #656
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #658
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #667
Fix aud validation to support {'aud': null} case. by @dajiaji in #670
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #678
Prefer headers['alg'] to algorithm parameter in encode(). by @dajiaji in #673
DOC: Clarify RSA encoding and decoding depend on the cryptography package by @TPXP in #664
Make typ optional by @dajiaji in #644
Remove arbitrary kwargs. by @dajiaji in #657
Assume JWK is valid for signing if "use" is omitted by @Klavionik in #668
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #684
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #686
[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #689
Remove upper bound on cryptography version by @riconnon in #693
Add support for Ed448/EdDSA. by @dajiaji in #675
Chore: inline Variables that immediately Returned by @yezz123 in #690
Use timezone package as Python 3.5+ is required by @kkirsche in #694
Bump up version to v2.2.0 by @jpadilla in #697

New Contributors

@TPXP made their first contribution in #664
@Klavionik made their first contribution in #668
@riconnon made their first contribution in #693
@yezz123 made their first contribution in #690
@kkirsche made their first contribution in #694

Full Changelog: jpadilla/pyjwt@2.1.0...2.2.0

`v2.1.0`

Compare Source

Changed


- Allow claims validation without making JWT signature validation mandatory. `#&#8203;608 <https://github.com/jpadilla/pyjwt/pull/608>`__

Fixed
~~~~~

- Remove padding from JWK test data. `#&#8203;628 <https://github.com/jpadilla/pyjwt/pull/628>`__
- Make `kty` mandatory in JWK to be compliant with RFC7517. `#&#8203;624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- Allow JWK without `alg` to be compliant with RFC7517. `#&#8203;624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- Allow to verify with private key on ECAlgorithm, as well as on Ed25519Algorithm. `#&#8203;645 <https://github.com/jpadilla/pyjwt/pull/645>`__

Added
~~~~~

- Add caching by default to PyJWKClient `#&#8203;611 <https://github.com/jpadilla/pyjwt/pull/611>`__
- Add missing exceptions.InvalidKeyError to jwt module __init__ imports `#&#8203;620 <https://github.com/jpadilla/pyjwt/pull/620>`__
- Add support for ES256K algorithm `#&#8203;629 <https://github.com/jpadilla/pyjwt/pull/629>`__
- Add `from_jwk()` to Ed25519Algorithm `#&#8203;621 <https://github.com/jpadilla/pyjwt/pull/621>`__
- Add `to_jwk()` to Ed25519Algorithm `#&#8203;643 <https://github.com/jpadilla/pyjwt/pull/643>`__
- Export `PyJWK` and `PyJWKSet` `#&#8203;652 <https://github.com/jpadilla/pyjwt/pull/652>`__

`v2.0.1 <https://github.com/jpadilla/pyjwt/compare/2.0.0...2.0.1>`__
--------------------------------------------------------------------

Changed

Rename CHANGELOG.md to CHANGELOG.rst and include in docs #597 <https://github.com/jpadilla/pyjwt/pull/597>__

Fixed


- Fix `from_jwk()` for all algorithms `#&#8203;598 <https://github.com/jpadilla/pyjwt/pull/598>`__

Added

`v2.0.1`

Compare Source

Changed


- Allow claims validation without making JWT signature validation mandatory. `#&#8203;608 <https://github.com/jpadilla/pyjwt/pull/608>`__

Fixed
~~~~~

- Remove padding from JWK test data. `#&#8203;628 <https://github.com/jpadilla/pyjwt/pull/628>`__
- Make `kty` mandatory in JWK to be compliant with RFC7517. `#&#8203;624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- Allow JWK without `alg` to be compliant with RFC7517. `#&#8203;624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- Allow to verify with private key on ECAlgorithm, as well as on Ed25519Algorithm. `#&#8203;645 <https://github.com/jpadilla/pyjwt/pull/645>`__

Added
~~~~~

- Add caching by default to PyJWKClient `#&#8203;611 <https://github.com/jpadilla/pyjwt/pull/611>`__
- Add missing exceptions.InvalidKeyError to jwt module __init__ imports `#&#8203;620 <https://github.com/jpadilla/pyjwt/pull/620>`__
- Add support for ES256K algorithm `#&#8203;629 <https://github.com/jpadilla/pyjwt/pull/629>`__
- Add `from_jwk()` to Ed25519Algorithm `#&#8203;621 <https://github.com/jpadilla/pyjwt/pull/621>`__
- Add `to_jwk()` to Ed25519Algorithm `#&#8203;643 <https://github.com/jpadilla/pyjwt/pull/643>`__
- Export `PyJWK` and `PyJWKSet` `#&#8203;652 <https://github.com/jpadilla/pyjwt/pull/652>`__

`v2.0.1 <https://github.com/jpadilla/pyjwt/compare/2.0.0...2.0.1>`__
--------------------------------------------------------------------

Changed

Rename CHANGELOG.md to CHANGELOG.rst and include in docs #597 <https://github.com/jpadilla/pyjwt/pull/597>__

Fixed


- Fix `from_jwk()` for all algorithms `#&#8203;598 <https://github.com/jpadilla/pyjwt/pull/598>`__

Added

`v2.0.0`

Compare Source

Changed


Drop support for Python 2 and Python 3.0-3.5
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Python 3.5 is EOL so we decide to drop its support. Version ``1.7.1`` is
the last one supporting Python 3.0-3.5.

Require cryptography >= 3
^^^^^^^^^^^^^^^^^^^^^^^^^

Drop support for PyCrypto and ECDSA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

We've kept this around for a long time, mostly for environments that
didn't allow installing cryptography.

Drop CLI
^^^^^^^^

Droppe

Update dependency PyJWT to v2

7fd421d

mend-for-github-com bot added the security fix Security fix generated by Mend label Mar 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency PyJWT to v2#65

Update dependency PyJWT to v2#65
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/pyjwt-2.x

mend-for-github-com bot commented Mar 18, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

mend-for-github-com bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Security

What's Changed

New Contributors

What's Changed

New Contributors

Fixed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

mend-for-github-com bot commented Mar 18, 2026 •

edited

Loading