chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/opencode_env#780
chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/opencode_env#780dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [authlib](https://github.com/authlib/authlib) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.7.0...1.7.1) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Dependencies
python:uv
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Verdict: Approve ✅
Two-tier review of this Dependabot lockfile bump (envs/opencode_env/uv.lock, +9/-9).
Tier 1 — Bugs / correctness / lint
No issues.
- authlib 1.7.0 → 1.7.1 is a patch bump: fixes a
joserfcdeprecation warning and (security-relevant) fixes redirecting to an unvalidatedredirect_urionInvalidScopeErrorin the OIDC implicit/hybrid grants. sdist/wheel hashes are updated consistently. - The lock also shows
openenv-core 0.3.0 → openenv 0.3.1(package name +requires-dist). I verified thatenvs/opencode_env/pyproject.tomlat this PR head already declaresopenenv[core]>=0.3.0— so this is simply Dependabot regenerating a stale lockfile into coherence with the already-migrated manifest, not a hidden rename migration. The lock is internally coherent and installable.
Tier 2 — Alignment with OpenEnv principles
No concerns. Lockfile-only dependency maintenance; no source, no API boundary, no invariants affected.
Routine, safe bump — carries a minor upstream security fix as a bonus.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Tier 1 — Bugs & Lint
No issues. Lockfile-only change with valid hashes.
The authlib 1.7.0 → 1.7.1 bump is worth taking: 1.7.1 fixes redirecting to an unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant/OpenIDHybridGrant (security-relevant), plus a joserfc deprecation-warning fix.
Note — the bundled openenv-core → openenv lock change is correct, not scope creep
This PR also rewrites the locked core package from openenv-core 0.3.0 to openenv 0.3.1. I verified this is intended and beneficial:
envs/opencode_env/pyproject.tomlonmainalready declaresopenenv[core]>=0.3.0(the renamed package).- The committed
uv.lockonmainwas stale, still pinning the oldopenenv-corename. - Dependabot's re-lock brings the lockfile in line with what
pyproject.tomlalready requires (the core package was renamedopenenv-core→openenvon PyPI).
So this PR incidentally fixes a pre-existing lock/manifest inconsistency in addition to the authlib bump.
Tier 2 — Alignment
No concerns.
Verdict: approve ✅
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review (Tier 1 + Tier 2)
Tier 1 — mechanical: The authlib bump itself is clean. 1.7.0 → 1.7.1: sdist URL, wheel URL, both sha256 hashes, and sizes all change consistently. No partial/mismatched hashes, no other unexpected churn in the authlib entry.
Tier 2 — alignment flag (non-blocking, for a human):
This lockfile diff also silently carries a core-SDK package rename: openenv-core 0.3.0 → openenv 0.3.1, including the requires-dist/dependency entries (openenv-core[core] → openenv[core]). That is unrelated to the authlib bump named in the PR title — it's a side-effect of uv lock regenerating against the current opencode_env/pyproject.toml.
Before merging, please confirm:
- The rename to the
openenvPyPI package (0.3.1) is intentional andopencode_envis meant to track it. - Whether the rest of the repo should be migrated in a coordinated change so the core-SDK package name stays consistent across environments.
If the rename is expected, this is fine to merge — just calling it out so a maintainer signs off on the SDK identity change rather than it landing inside a dependency bump. No action needed from Dependabot.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Tier 1 (correctness): The authlib 1.7.0 → 1.7.1 bump itself is a clean patch release (version, sdist, and wheel hashes updated; dependencies unchanged) and low-risk.
However, the diff is not limited to authlib. The same uv.lock update also renames the core package from openenv-core to openenv and bumps it 0.3.0 → 0.3.1 (new PyPI URLs/hashes, plus the requires-dist reference in opencode_env rewritten openenv-core → openenv). This is uv lock picking up the upstream PyPI package rename — unrelated to the authlib bump described in the title.
Tier 2 (alignment): Surfacing for awareness rather than blocking — if the openenv-core → openenv rename is the intended/planned change, please confirm so reviewers know the extra lockfile churn is expected. If it was incidental, consider regenerating the lock from a clean base so the PR matches its stated scope.
Verdict: comment.
Automated review by Claude Code | Learn more
1 participant
Bumps authlib from 1.7.0 to 1.7.1.
Release notes
Sourced from authlib's releases.
Commits
485016achore: bump to 1.7.17b4ecd7fix: redirecting to unvalidated redirect_uri on InvalidScopeError in OIDC grantsc304a21Merge pull request #881 from azmeuk/880-deprecation-warnings4165adafix: authlib.jose deprecation warning poping from _joserfc_helpersDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.