From 24c3d23229b3b78582a8597c0f6d21c56fa9a030 Mon Sep 17 00:00:00 2001 From: Mark Backman Date: Sun, 15 Mar 2026 08:53:06 -0400 Subject: [PATCH 1/2] Bump PyJWT minimum version to 2.12.0 for CVE-2026-32597 Addresses Dependabot alert #165 (GHSA-752w-5fwx-jx9f) where PyJWT <= 2.11.0 accepts unknown `crit` header extensions. --- pyproject.toml | 2 +- uv.lock | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 48226b14f..6c47ea8b4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -83,7 +83,7 @@ kokoro = [ "kokoro-onnx>=0.5.0,<1", "requests>=2.32.5,<3" ] krisp = [ "pipecat-ai-krisp~=0.4.0" ] langchain = [ "langchain~=0.3.20", "langchain-community~=0.3.20", "langchain-openai~=0.3.9" ] lemonslice = [ "pipecat-ai[daily]" ] -livekit = [ "livekit>=1.0.13,<2", "livekit-api>=1.0.5,<2", "tenacity>=8.2.3,<10.0.0", "pyjwt>=2.10.1,<3" ] +livekit = [ "livekit>=1.0.13,<2", "livekit-api>=1.0.5,<2", "tenacity>=8.2.3,<10.0.0", "pyjwt>=2.12.0,<3" ] lmnt = [ "pipecat-ai[websockets-base]" ] local = [ "pyaudio~=0.2.14" ] local-smart-turn = [ "coremltools>=8.0", "transformers>=4.48.0,<6", "torch>=2.5.0,<3", "torchaudio>=2.5.0,<3" ] diff --git a/uv.lock b/uv.lock index b68216261..b11a51bb2 100644 --- a/uv.lock +++ b/uv.lock @@ -4862,7 +4862,7 @@ requires-dist = [ { name = "pyaudio", marker = "extra == 'local'", specifier = "~=0.2.14" }, { name = "pydantic", specifier = ">=2.10.6,<3" }, { name = "pygobject", marker = "extra == 'gstreamer'", specifier = "~=3.50.0" }, - { name = "pyjwt", marker = "extra == 'livekit'", specifier = ">=2.10.1,<3" }, + { name = "pyjwt", marker = "extra == 'livekit'", specifier = ">=2.12.0,<3" }, { name = "pyloudnorm", specifier = "~=0.2.0" }, { name = "pyrnnoise", marker = "extra == 'rnnoise'", specifier = "~=0.4.1" }, { name = "python-dotenv", marker = "extra == 'runner'", specifier = ">=1.0.0,<2.0.0" }, @@ -5473,11 +5473,14 @@ sdist = { url = "https://files.pythonhosted.org/packages/a7/5d/f2946cc6c1baf56de [[package]] name = "pyjwt" -version = "2.11.0" +version = "2.12.1" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/5c/5a/b46fa56bf322901eee5b0454a34343cdbdae202cd421775a8ee4e42fd519/pyjwt-2.11.0.tar.gz", hash = "sha256:35f95c1f0fbe5d5ba6e43f00271c275f7a1a4db1dab27bf708073b75318ea623", size = 98019, upload-time = "2026-01-30T19:59:55.694Z" } +dependencies = [ + { name = "typing-extensions", marker = "python_full_version < '3.11'" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/c2/27/a3b6e5bf6ff856d2509292e95c8f57f0df7017cf5394921fc4e4ef40308a/pyjwt-2.12.1.tar.gz", hash = "sha256:c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b", size = 102564, upload-time = "2026-03-13T19:27:37.25Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/6f/01/c26ce75ba460d5cd503da9e13b21a33804d38c2165dec7b716d06b13010c/pyjwt-2.11.0-py3-none-any.whl", hash = "sha256:94a6bde30eb5c8e04fee991062b534071fd1439ef58d2adc9ccb823e7bcd0469", size = 28224, upload-time = "2026-01-30T19:59:54.539Z" }, + { url = "https://files.pythonhosted.org/packages/e5/7a/8dd906bd22e79e47397a61742927f6747fe93242ef86645ee9092e610244/pyjwt-2.12.1-py3-none-any.whl", hash = "sha256:28ca37c070cad8ba8cd9790cd940535d40274d22f80ab87f3ac6a713e6e8454c", size = 29726, upload-time = "2026-03-13T19:27:35.677Z" }, ] [package.optional-dependencies] From e8415b745162d269867d6c07c0b5298fa8175e16 Mon Sep 17 00:00:00 2001 From: Mark Backman Date: Sun, 15 Mar 2026 08:56:54 -0400 Subject: [PATCH 2/2] Add changelog for #4035 --- changelog/4035.security.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/4035.security.md diff --git a/changelog/4035.security.md b/changelog/4035.security.md new file mode 100644 index 000000000..9ffc17305 --- /dev/null +++ b/changelog/4035.security.md @@ -0,0 +1 @@ +- Bumped PyJWT minimum version from 2.10.1 to 2.12.0 in the `livekit` extra to address CVE-2026-32597 (GHSA-752w-5fwx-jx9f), where PyJWT <= 2.11.0 accepted unknown `crit` header extensions.