Update dependency PyJWT to v2.12.0

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
PyJWT	minor	==2.6.0 → ==2.12.0

By merging this PR, the issue #31 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability
High	7.5	CVE-2026-32597

---

Release Notes

jpadilla/pyjwt (PyJWT)

v2.12.0

Compare Source

Security

• Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @​dmbs335 in GHSA-752w-5fwx-jx9f

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1132
• chore(docs): fix docs build by @​tamird in #​1137
• Annotate PyJWKSet.keys for pyright by @​tamird in #​1134
• fix: close HTTPError to prevent ResourceWarning on Python 3.14 by @​veeceey in #​1133
• chore: remove superfluous constants by @​tamird in #​1136
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1135
• chore(tests): enable mypy by @​tamird in #​1138
• Bump actions/download-artifact from 7 to 8 by @​dependabot[bot] in #​1142
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1141
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1145
• fix: do not store reference to algorithms dict on PyJWK by @​akx in #​1143
• Use PyJWK algorithm when encoding without explicit algorithm by @​jpadilla in #​1148

New Contributors

• @​tamird made their first contribution in #​1137
• @​veeceey made their first contribution in #​1133

Full Changelog: jpadilla/pyjwt@2.11.0...2.12.0

v2.11.0

Compare Source

What's Changed

• Fixed type error in comment by @​shuhaib-aot in #​1026
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1018
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1033
• Make note of use of leeway with nbf by @​djw8605 in #​1034
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1035
• Fixes #​964: Validate key against allowed types for Algorithm family by @​pachewise in #​985
• Feat #​1024: Add iterator for PyJWKSet by @​pachewise in #​1041
• Fixes #​1039: Add iss, issuer type checks by @​pachewise in #​1040
• Fixes #​660: Improve typing/logic for options in decode, decode_complete; Improve docs by @​pachewise in #​1045
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1042
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1052
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1053
• Fix #​1022: Map algorithm=None to "none" by @​qqii in #​1056
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1055
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1058
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1060
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1061
• Fixes #​1047: Correct PyJWKClient.get_signing_key_from_jwt annotation by @​khvn26 in #​1048
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1062
• Fixed doc string typo in _validate_jti() function #​1063 by @​kuldeepkhatke in #​1064
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1065
• Update SECURITY.md by @​auvipy in #​1057
• Typing fix: use float instead of int for lifespan and timeout by @​nikitagashkov in #​1068
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1067
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1071
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1076
• Fix TYP header documentation by @​fobiasmog in #​1046
• doc: Document claims sub and jti by @​cleder in #​1088
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1077
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​1089
• Bump actions/stale from 8 to 10 by @​dependabot[bot] in #​1090
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​1083
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1091
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1093
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1096
• Resolve package build warnings by @​kurtmckee in #​1105
• Support Python 3.14, and test against PyPy 3.10+ by @​kurtmckee in #​1104
• Fix a SyntaxWarning caused by invalid escape sequences by @​kurtmckee in #​1103
• Standardize CHANGELOG links to PRs by @​kurtmckee in #​1110
• Migrate from pep517, which is deprecated, to build by @​kurtmckee in #​1108
• Fix incorrectly-named test suite function by @​kurtmckee in #​1116
• Fix Read the Docs builds by @​kurtmckee in #​1111
• Bump actions/download-artifact from 4 to 6 by @​dependabot[bot] in #​1118
• Escalate test suite warnings to errors by @​kurtmckee in #​1107
• Add pyupgrade as a pre-commit hook by @​kurtmckee in #​1109
• Simplify the test suite decorators by @​kurtmckee in #​1113
• Improve coverage config and eliminate unused test suite code by @​kurtmckee in #​1115
• Build a shared wheel once in the test suite by @​kurtmckee in #​1114
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1122
• Thoroughly test type annotations, and resolve errors by @​kurtmckee in #​1112
• Fix leeway value in usage documentation by @​Matthew1471 in #​1124
• Bump actions/download-artifact from 6 to 7 by @​dependabot[bot] in #​1125

New Contributors

• @​shuhaib-aot made their first contribution in #​1026
• @​qqii made their first contribution in #​1056
• @​khvn26 made their first contribution in #​1048
• @​kuldeepkhatke made their first contribution in #​1064
• @​nikitagashkov made their first contribution in #​1068
• @​fobiasmog made their first contribution in #​1046
• @​Matthew1471 made their first contribution in #​1124

Full Changelog: jpadilla/pyjwt@2.10.1...2.11.0

v2.10.1

Compare Source

Fixed

• Prevent partial matching of iss claim. Thanks @​fabianbadoi! (See: GHSA-75c5-xw7c-p5pm)

Full Changelog: jpadilla/pyjwt@2.10.0...2.10.1

v2.10.0

Compare Source

What's Changed

• chore: use sequence for typing rather than list by @​imnotjames in #​970
• Add support for Python 3.13 by @​hugovk in #​972
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​971
• Add an RTD config file to resolve RTD build failures by @​kurtmckee in #​977
• docs: Update iat exception docs by @​pachewise in #​974
• Remove algorithm requirement for JWT API by @​luhn in #​975
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​978
• Create SECURITY.md by @​auvipy in #​973
• docs fix: decode_complete scope and algorithms by @​RbnRncn in #​982
• fix doctest for docs/usage.rst by @​pachewise in #​986
• fix test_utils.py not to xfail by @​pachewise in #​987
• Correct jwt.decode audience param doc expression by @​peter279k in #​994
• Add PS256 encoding and decoding usage by @​peter279k in #​992
• Add API docs for PyJWK by @​luhn in #​980
• Refactor project configuration files from setup.cfg to pyproject.toml PEP-518 by @​cleder in #​995
• Add JWK support to JWT encode by @​luhn in #​979
• Update pre-commit hooks to lint pyproject.toml by @​cleder in #​1002
• Add EdDSA algorithm encoding/decoding usage by @​peter279k in #​993
• Ruff linter and formatter changes by @​gagandeepp in #​1001
• Validate sub and jti claims for the token by @​Divan009 in #​1005
• Add ES256 usage by @​Gautam-Hegde in #​1003
• Encode EC keys with a fixed bit length by @​way-dave in #​990
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1000
• Drop support for Python 3.8 by @​kkirsche in #​1007
• Prepare 2.10.0 release by @​benvdh in #​1011
• Bump codecov/codecov-action from 4 to 5 by @​dependabot in #​1014
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in #​1006

New Contributors

• @​imnotjames made their first contribution in #​970
• @​kurtmckee made their first contribution in #​977
• @​pachewise made their first contribution in #​974
• @​RbnRncn made their first contribution in #​982
• @​peter279k made their first contribution in #​994
• @​cleder made their first contribution in #​995
• @​gagandeepp made their first contribution in #​1001
• @​Divan009 made their first contribution in #​1005
• @​Gautam-Hegde made their first contribution in #​1003
• @​way-dave made their first contribution in #​990

Full Changelog: jpadilla/pyjwt@2.9.0...2.10.0

v2.9.0

Compare Source

Changed

- Drop support for Python 3.7 (EOL) by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Allow JWT issuer claim validation to accept a list of strings too by @&#8203;mattpollak in `#&#8203;913 <https://github.com/jpadilla/pyjwt/pull/913>`__

Fixed
~~~~~

- Fix unnecessary string concatenation by @&#8203;sirosen in `#&#8203;904 <https://github.com/jpadilla/pyjwt/pull/904>`__
- Fix docs for ``jwt.decode_complete`` to include ``strict_aud`` option by @&#8203;woodruffw in `#&#8203;923 <https://github.com/jpadilla/pyjwt/pull/923>`__
- Fix docs step by @&#8203;jpadilla in `#&#8203;950 <https://github.com/jpadilla/pyjwt/pull/950>`__
- Fix: Remove an unused variable from example code block by @&#8203;kenkoooo in `#&#8203;958 <https://github.com/jpadilla/pyjwt/pull/958>`__

Added
~~~~~

- Add support for Python 3.12 by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Improve performance of ``is_ssh_key`` + add unit test by @&#8203;bdraco in `#&#8203;940 <https://github.com/jpadilla/pyjwt/pull/940>`__
- Allow ``jwt.decode()`` to accept a PyJWK object by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Make ``algorithm_name`` attribute available on PyJWK by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Raise ``InvalidKeyError`` on invalid PEM keys to be compatible with cryptography 42.x.x by @&#8203;CollinEMac in `#&#8203;952 <https://github.com/jpadilla/pyjwt/pull/952>`__
- Raise an exception when required cryptography dependency is missing by @&#8203;tobloef in `<https://github.com/jpadilla/pyjwt/pull/963>`__

`v2.8.0 <https://github.com/jpadilla/pyjwt/compare/2.7.0...2.8.0>`__
-----------------------------------------------------------------------

Changed

• Update python version test matrix by @​auvipy in #&#8203;895 <https://github.com/jpadilla/pyjwt/pull/895>__

Fixed

Added

• Add strict_aud as an option to jwt.decode by @​woodruffw in #&#8203;902 <https://github.com/jpadilla/pyjwt/pull/902>__
• Export PyJWKClientConnectionError class by @​daviddavis in #&#8203;887 <https://github.com/jpadilla/pyjwt/pull/887>__
• Allows passing of ssl.SSLContext to PyJWKClient by @​juur in #&#8203;891 <https://github.com/jpadilla/pyjwt/pull/891>__

v2.8.0

Compare Source

Changed

- Drop support for Python 3.7 (EOL) by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Allow JWT issuer claim validation to accept a list of strings too by @&#8203;mattpollak in `#&#8203;913 <https://github.com/jpadilla/pyjwt/pull/913>`__

Fixed
~~~~~

- Fix unnecessary string concatenation by @&#8203;sirosen in `#&#8203;904 <https://github.com/jpadilla/pyjwt/pull/904>`__
- Fix docs for ``jwt.decode_complete`` to include ``strict_aud`` option by @&#8203;woodruffw in `#&#8203;923 <https://github.com/jpadilla/pyjwt/pull/923>`__
- Fix docs step by @&#8203;jpadilla in `#&#8203;950 <https://github.com/jpadilla/pyjwt/pull/950>`__
- Fix: Remove an unused variable from example code block by @&#8203;kenkoooo in `#&#8203;958 <https://github.com/jpadilla/pyjwt/pull/958>`__

Added
~~~~~

- Add support for Python 3.12 by @&#8203;hugovk in `#&#8203;910 <https://github.com/jpadilla/pyjwt/pull/910>`__
- Improve performance of ``is_ssh_key`` + add unit test by @&#8203;bdraco in `#&#8203;940 <https://github.com/jpadilla/pyjwt/pull/940>`__
- Allow ``jwt.decode()`` to accept a PyJWK object by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Make ``algorithm_name`` attribute available on PyJWK by @&#8203;luhn in `#&#8203;886 <https://github.com/jpadilla/pyjwt/pull/886>`__
- Raise ``InvalidKeyError`` on invalid PEM keys to be compatible with cryptography 42.x.x by @&#8203;CollinEMac in `#&#8203;952 <https://github.com/jpadilla/pyjwt/pull/952>`__
- Raise an exception when required cryptography dependency is missing by @&#8203;tobloef in `<https://github.com/jpadilla/pyjwt/pull/963>`__

`v2.8.0 <https://github.com/jpadilla/pyjwt/compare/2.7.0...2.8.0>`__
-----------------------------------------------------------------------

Changed

• Update python version test matrix by @​auvipy in #&#8203;895 <https://github.com/jpadilla/pyjwt/pull/895>__

Fixed

Added

• Add strict_aud as an option to jwt.decode by @​woodruffw in #&#8203;902 <https://github.com/jpadilla/pyjwt/pull/902>__
• Export PyJWKClientConnectionError class by @​daviddavis in #&#8203;887 <https://github.com/jpadilla/pyjwt/pull/887>__
• Allows passing of ssl.SSLContext to PyJWKClient by @​juur in #&#8203;891 <https://github.com/jpadilla/pyjwt/pull/891>__

v2.7.0

Compare Source

Changed

- Changed the error message when the token audience doesn't match the expected audience by @&#8203;irdkwmnsb `#&#8203;809 <https://github.com/jpadilla/pyjwt/pull/809>`__
- Improve error messages when cryptography isn't installed by @&#8203;Viicos in `#&#8203;846 <https://github.com/jpadilla/pyjwt/pull/846>`__
- Make `Algorithm` an abstract base class by @&#8203;Viicos in `#&#8203;845 <https://github.com/jpadilla/pyjwt/pull/845>`__
- ignore invalid keys in a jwks by @&#8203;timw6n in `#&#8203;863 <https://github.com/jpadilla/pyjwt/pull/863>`__

Fixed
~~~~~

- Add classifier for Python 3.11 by @&#8203;eseifert in `#&#8203;818 <https://github.com/jpadilla/pyjwt/pull/818>`__
- Fix ``_validate_iat`` validation by @&#8203;Viicos in `#&#8203;847 <https://github.com/jpadilla/pyjwt/pull/847>`__
- fix: use datetime.datetime.timestamp function to have a milliseconds by @&#8203;daillouf `#&#8203;821 <https://github.com/jpadilla/pyjwt/pull/821>`__
- docs: correct mistake in the changelog about verify param by @&#8203;gbillig in `#&#8203;866 <https://github.com/jpadilla/pyjwt/pull/866>`__

Added
~~~~~

- Add ``compute_hash_digest`` as a method of ``Algorithm`` objects, which uses
  the underlying hash algorithm to compute a digest. If there is no appropriate
  hash algorithm, a ``NotImplementedError`` will be raised in `#&#8203;775 <https://github.com/jpadilla/pyjwt/pull/775>`__
- Add optional ``headers`` argument to ``PyJWKClient``. If provided, the headers
  will be included in requests that the client uses when fetching the JWK set by @&#8203;thundercat1 in `#&#8203;823 <https://github.com/jpadilla/pyjwt/pull/823>`__
- Add PyJWT._{de,en}code_payload hooks by @&#8203;akx in `#&#8203;829 <https://github.com/jpadilla/pyjwt/pull/829>`__
- Add `sort_headers` parameter to `api_jwt.encode` by @&#8203;evroon in `#&#8203;832 <https://github.com/jpadilla/pyjwt/pull/832>`__
- Make mypy configuration stricter and improve typing by @&#8203;akx in `#&#8203;830 <https://github.com/jpadilla/pyjwt/pull/830>`__
- Add more types by @&#8203;Viicos in `#&#8203;843 <https://github.com/jpadilla/pyjwt/pull/843>`__
- Add a timeout for PyJWKClient requests by @&#8203;daviddavis in `#&#8203;875 <https://github.com/jpadilla/pyjwt/pull/875>`__
- Add client connection error exception by @&#8203;daviddavis in `#&#8203;876 <https://github.com/jpadilla/pyjwt/pull/876>`__
- Add complete types to take all allowed keys into account by @&#8203;Viicos in `#&#8203;873 <https://github.com/jpadilla/pyjwt/pull/873>`__
- Add `as_dict` option to `Algorithm.to_jwk` by @&#8203;fluxth in `#&#8203;881 <https://github.com/jpadilla/pyjwt/pull/881>`__

`v2.6.0 <https://github.com/jpadilla/pyjwt/compare/2.5.0...2.6.0>`__
-----------------------------------------------------------------------

Changed

• bump up cryptography >= 3.4.0 by @​jpadilla in #&#8203;807 <https://github.com/jpadilla/pyjwt/pull/807>__
• Remove types-cryptography from crypto extra by @​lautat in #&#8203;805 <https://github.com/jpadilla/pyjwt/pull/805>__

Fixed

- Invalidate token on the exact second the token expires `#&#8203;797 <https://github.com/jpadilla/pyjwt/pull/797>`__
- fix: version 2.5.0 heading typo by @&#8203;c0state in `#&#8203;803 <https://github.com/jpadilla/pyjwt/pull/803>`__

Added

• Adding validation for issued_at when iat > (now + leeway) as ImmatureSignatureError by @​sriharan16 in #&#8203;794 <https://github.com/jpadilla/pyjwt/pull/794>__

---

• If you want to rebase/retry this PR, check this box