From 07aaace8107ccc5f521d3869fe0f8834bb1e5d96 Mon Sep 17 00:00:00 2001
From: Vitor Hugo <vitor.hov@gmail.com>
Date: Sat, 21 Mar 2026 00:25:17 -0300
Subject: [PATCH] fix: bump PyJWT to 2.12.1 to fix CVE-2026-32597
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PyJWT <= 2.11.0 does not validate the `crit` (Critical) Header
Parameter per RFC 7515 §4.1.11, allowing tokens with unknown critical
extensions to be accepted. Fixed in 2.12.0.

GHSA-752w-5fwx-jx9f / CVE-2026-32597 (CVSS 7.5 HIGH)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 poetry.lock | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 34d9bd7..ca677b0 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1031,16 +1031,20 @@ windows-terminal = ["colorama (>=0.4.6)"]
 
 [[package]]
 name = "pyjwt"
-version = "2.12.0"
+version = "2.12.1"
 description = "JSON Web Token implementation in Python"
-optional = false
+optional = true
 python-versions = ">=3.9"
 groups = ["main"]
+markers = "extra == \"redis\""
 files = [
-    {file = "pyjwt-2.12.0-py3-none-any.whl", hash = "sha256:9bb459d1bdd0387967d287f5656bf7ec2b9a26645d1961628cda1764e087fd6e"},
-    {file = "pyjwt-2.12.0.tar.gz", hash = "sha256:2f62390b667cd8257de560b850bb5a883102a388829274147f1d724453f8fb02"},
+    {file = "pyjwt-2.12.1-py3-none-any.whl", hash = "sha256:28ca37c070cad8ba8cd9790cd940535d40274d22f80ab87f3ac6a713e6e8454c"},
+    {file = "pyjwt-2.12.1.tar.gz", hash = "sha256:c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b"},
 ]
 
+[package.dependencies]
+typing_extensions = {version = ">=4.0", markers = "python_version < \"3.11\""}
+
 [package.extras]
 crypto = ["cryptography (>=3.4.0)"]
 dev = ["coverage[toml] (==7.10.7)", "cryptography (>=3.4.0)", "pre-commit", "pytest (>=8.4.2,<9.0.0)", "sphinx", "sphinx-rtd-theme", "zope.interface"]