Skip to content

chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /python/agents/realtime-conversational-agent/server#2180

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/agents/realtime-conversational-agent/server/joserfc-1.6.8
Open

chore(deps): bump joserfc from 1.6.4 to 1.6.8 in /python/agents/realtime-conversational-agent/server#2180
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/agents/realtime-conversational-agent/server/joserfc-1.6.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.4 to 1.6.8.

Release notes

Sourced from joserfc's releases.

1.6.8

  • Reject empty OctKey.

Full Changelog: authlib/joserfc@1.6.7...1.6.8

1.6.7

   🐞 Bug Fixes

    View changes on GitHub

1.6.5

No significant changes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.8

Released on May 27, 2026

  • Reject empty OctKey.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.

1.6.5

Released on May 3, 2026

  • JWS: increase registry's payload max size.
Commits
  • ea1d9e3 chore: release 1.6.8
  • 86d0091 Reject empty oct key material and empty HMAC keys at sign/verify entry
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.8.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.4...1.6.8)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.8
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📋 Maintainability Review Summary

This pull request was reviewed for maintainability. The changes are limited to updating dependency versions in uv.lock for the realtime-conversational-agent server.

🔍 Findings

  • No maintainability issues were found. The changes consist solely of auto-generated dependency lockfile updates, which do not contain any custom naming, magic numbers, or code duplication.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📋 Security Review Summary

This pull request is a dependency update that bumps the joserfc package version from 1.6.4 to 1.6.8 in python/agents/realtime-conversational-agent/server/uv.lock. No source code modifications are made, and no security vulnerabilities are introduced or exposed by these changes.

🔍 Findings

  • No security vulnerabilities were found.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📋 Correctness Review Summary

This review focuses exclusively on correctness, logic errors, and potential runtime failures in the changed files. A critical issue was identified in the module's initialization file.

🔍 Correctness Findings

🔴 Critical: Unhandled exceptions and TypeErrors on module import

In python/agents/financial-advisor/financial_advisor/__init__.py:

_, project_id = google.auth.default()
os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)

Description of the bug:

  1. Unhandled DefaultCredentialsError: If Application Default Credentials (ADC) are not configured in the environment (common in local development, testing, or build/CI environments), google.auth.default() will raise a DefaultCredentialsError. Since this is at the module's root scope, any import of the package will crash.
  2. TypeError with None values: If credentials are found but the project ID cannot be determined (which returns None), os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id) will try to set None in os.environ. In Python, setting a None value in os.environ raises TypeError: str expected, not NoneType, crashing the import.

Suggested Fix:
Wrap the default credential resolution in a try-except block and only set the environment variable if project_id is a valid string.

import os

import google.auth
from google.auth.exceptions import DefaultCredentialsError

try:
    _, project_id = google.auth.default()
except DefaultCredentialsError:
    project_id = None

if project_id:
    os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)

os.environ.setdefault("GOOGLE_CLOUD_LOCATION", "global")
os.environ.setdefault("GOOGLE_GENAI_USE_VERTEXAI", "True")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants