From 81cd4fc2f1d7a23586aaed63ac4f4d4f29a83aa8 Mon Sep 17 00:00:00 2001
From: jross <jake.ross@nmt.edu>
Date: Mon, 8 Jun 2026 12:25:47 -0600
Subject: [PATCH] fix: pin joserfc in requirements.txt to unblock buildpack
 deploy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

authlib 1.6.x → 1.7.2 added joserfc as a new runtime dependency, but
the lockfile bump did not regenerate requirements.txt, so joserfc was
absent. The Google buildpack installs with pip --require-hashes, which
rejected the unpinned `joserfc>=1.6.0` pulled transitively from
authlib:

  ERROR: In --require-hashes mode, all requirements must have their
  versions pinned with ==. These do not: joserfc>=1.6.0

Add joserfc==1.7.1 with its sdist + py3-none-any wheel hashes from
uv.lock. Verified joserfc is the only non-dev dependency in uv.lock
missing from requirements.txt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 requirements.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/requirements.txt b/requirements.txt
index 0335fdcb..137a817a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1035,6 +1035,10 @@ jinja2==3.1.6 \
     #   ocotilloapi
     #   pygeoapi
     #   starlette-admin
+joserfc==1.7.1 \
+    --hash=sha256:77d0b76514879c68c6f433bc5b7357a4ab72008ff1e33d8379fd11d72bd8ca81 \
+    --hash=sha256:b3e3d655612e2e1ef67b2600f2f420e12e537b020208fab1761fad647319c164
+    # via authlib
 jsonschema==4.26.0 \
     --hash=sha256:0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326 \
     --hash=sha256:d489f15263b8d200f8387e64b4c3a75f06629559fb73deb8fdfb525f2dab50ce