chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /python/agents/travel-concierge#2177
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.8. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.4...1.6.8) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
📋 Security Review Summary
The security review of this pull request was completed. The changes consist of a minor dependency bump of joserfc from version 1.6.4 to 1.6.8 in python/agents/travel-concierge/uv.lock. This is a standard package dependency upgrade and does not introduce any security vulnerabilities.
Additionally, a review of ref.diff (which contains migrations to uv, configuration file updates, and Google Cloud project setup via google.auth.default()) was performed, and no security vulnerabilities were identified.
🔍 Findings
- No security vulnerabilities were found.
There was a problem hiding this comment.
📋 Maintainability Review Summary
This pull request makes helpful updates to dependency management (migrating to uv) and documentation. We identified one main maintainability concern regarding import-time side effects in the package initialization.
🔍 Findings
🟡 Medium Severity: Side-effects on Module Import
-
File:
python/agents/financial-advisor/financial_advisor/__init__.py(Lines 23-26) -
Problem:
Importingfinancial_advisorinitiates Google Cloud credentials resolution and modifiesos.environenvironment variables as side-effects. This can make testing, mocking, or importing the package in environments without GCP credentials difficult (e.g., throwingDefaultCredentialsErroror altering environment state for unrelated tests).Additionally, direct assignment
os.environ["GOOGLE_CLOUD_LOCATION"] = "global"on line 25 will forcefully overwrite any existing location environment variables configured by the user or system, breaking configuration flexibility. -
Recommendation:
Consider moving environment initialization logic inside a config/setup function or initializing them lazily when the agent is first instantiated.
There was a problem hiding this comment.
📋 Correctness Review Summary
During the correctness review of the proposed changes, two critical correctness bugs and potential runtime failures were identified in the package initialization file (python/agents/financial-advisor/financial_advisor/__init__.py). These issues relate to unchecked Google Application Default Credentials loading at import-time and dangerous environment variable assignment with None values, both of which will crash any environment importing this package.
🔍 Findings
🔴 Unhandled Exception & Import-Time Crash
In python/agents/financial-advisor/financial_advisor/__init__.py on line 21:
_, project_id = google.auth.default()
- Issue: Calling
google.auth.default()searches for Google Application Default Credentials (ADC). If no default credentials can be located (e.g. during local offline development, unit tests, or environments where credentials are not pre-configured), it raises agoogle.auth.exceptions.DefaultCredentialsError. Executing this at the module/package import level will crash the entire application upon any simpleimport financial_advisorstatement, making the package completely unusable without authentication pre-setup. - Severity: 🔴 critical
🔴 TypeError / Runtime Failure
In python/agents/financial-advisor/financial_advisor/__init__.py on line 22:
os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)
- Issue:
google.auth.default()can returnNoneas theproject_idif there is no default project associated with the credentials or environment. Ifproject_idisNone, callingos.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)will crash with:
TypeError: str(), bytes() or os.PathLike object expected, not NoneType
Since this happens immediately during import, it represents a guaranteed crash in environments without a default project configured. - Severity: 🔴 critical
Suggested Fix:
To make the import robust, we should wrap the credential loading in a try-except block, check that project_id is a valid string before setting the environment variable, and use setdefault for the location environment variable to respect user configurations:
try:
_, project_id = google.auth.default()
if project_id:
os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)
except Exception:
pass
os.environ.setdefault("GOOGLE_CLOUD_LOCATION", "global")
os.environ.setdefault("GOOGLE_GENAI_USE_VERTEXAI", "True")
Bumps joserfc from 1.6.4 to 1.6.8.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
ea1d9e3chore: release 1.6.886d0091Reject empty oct key material and empty HMAC keys at sign/verify entry1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.