diff --git a/changelog/4035.security.md b/changelog/4035.security.md new file mode 100644 index 000000000..9ffc17305 --- /dev/null +++ b/changelog/4035.security.md @@ -0,0 +1 @@ +- Bumped PyJWT minimum version from 2.10.1 to 2.12.0 in the `livekit` extra to address CVE-2026-32597 (GHSA-752w-5fwx-jx9f), where PyJWT <= 2.11.0 accepted unknown `crit` header extensions. diff --git a/pyproject.toml b/pyproject.toml index ec729cf49..c93c7b173 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -83,7 +83,7 @@ kokoro = [ "kokoro-onnx>=0.5.0,<1", "requests>=2.32.5,<3" ] krisp = [ "pipecat-ai-krisp~=0.4.0" ] langchain = [ "langchain~=0.3.20", "langchain-community~=0.3.20", "langchain-openai~=0.3.9" ] lemonslice = [ "pipecat-ai[daily]" ] -livekit = [ "livekit>=1.0.13,<2", "livekit-api>=1.0.5,<2", "tenacity>=8.2.3,<10.0.0", "pyjwt>=2.10.1,<3" ] +livekit = [ "livekit>=1.0.13,<2", "livekit-api>=1.0.5,<2", "tenacity>=8.2.3,<10.0.0", "pyjwt>=2.12.0,<3" ] lmnt = [ "pipecat-ai[websockets-base]" ] local = [ "pyaudio~=0.2.14" ] local-smart-turn = [ "coremltools>=8.0", "transformers>=4.48.0,<6", "torch>=2.5.0,<3", "torchaudio>=2.5.0,<3" ] diff --git a/uv.lock b/uv.lock index 38026dc19..c5f699aa4 100644 --- a/uv.lock +++ b/uv.lock @@ -4872,7 +4872,7 @@ requires-dist = [ { name = "pyaudio", marker = "extra == 'local'", specifier = "~=0.2.14" }, { name = "pydantic", specifier = ">=2.10.6,<3" }, { name = "pygobject", marker = "extra == 'gstreamer'", specifier = "~=3.50.0" }, - { name = "pyjwt", marker = "extra == 'livekit'", specifier = ">=2.10.1,<3" }, + { name = "pyjwt", marker = "extra == 'livekit'", specifier = ">=2.12.0,<3" }, { name = "pyloudnorm", specifier = "~=0.2.0" }, { name = "pyrnnoise", marker = "extra == 'rnnoise'", specifier = "~=0.4.1" }, { name = "python-dotenv", marker = "extra == 'runner'", specifier = ">=1.0.0,<2.0.0" },