chore(deps): bump the uv group across 4 directories with 6 updates

[dependabot]

Bumps the uv group with 4 updates in the /packages/opentelemetry-instrumentation-crewai directory: langgraph, orjson, pyasn1 and pypdf.
Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-mcp directory: authlib.
Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-voyageai directory: orjson.
Bumps the uv group with 3 updates in the /packages/opentelemetry-instrumentation-writer directory: orjson, authlib and black.

Updates langgraph from 1.0.6 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph==1.0.8

Changes since 1.0.7

• release(langgraph): 1.0.8 (#6757)
• chore: shallow copy futures (#6755)
• fix: pydantic messages double streaming (#6753)
• chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (#6673)
• chore: Omit lock when using connection pool (#6734)
• docs: enhance Runtime and ToolRuntime class descriptions for clarity (#6689)
• docs: add clarity to use of thread_id (#6515)
• docs: add docstrings to add_node overloads (#6514)
• docs: update notebook links and add archival notices for examples (#6720)
• release(cli): 0.4.12 (#6716)

langgraph-prebuilt==1.0.8

Changes since prebuilt==1.0.7

• release: langgraph + prebuilt (#6875)
• fix: inject ToolRuntime for dynamically registered tools (#6874)
• chore: bump orjson (#6852)
• chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (#6849)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (#6810)
• chore: server runtime type (#6774)
• docs(prebuilt): update warning for create_react_agent (#6760)
• release(langgraph): 1.0.8 (#6757)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• See full diff in compare view

Updates pypdf from 6.7.4 to 6.9.1

Release notes

Sourced from pypdf's releases.

Version 6.9.1, 2026-03-17

What's new

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686) by @​stefan6419846

Full Changelog

Version 6.9.0, 2026-03-15

What's new

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672) by @​costajohnt

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679) by @​dmitry-kostin
• Batch-parse all objects in ObjStm on first access (#3677) by @​dmitry-kostin

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681) by @​stefan6419846
• Avoid accessing invalid page when inserting blank page under some conditions (#3529) by @​j-t-1

Full Changelog

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666) by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.9.1, 2026-03-17

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686)

Full Changelog

Version 6.9.0, 2026-03-15

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679)
• Batch-parse all objects in ObjStm on first access (#3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#3529)

Full Changelog

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Commits

• 0e5157c REL: 6.9.1
• 0b5d05d SEC: Improve performance and limit length of array-based content streams (#3686)
• 87aa1d4 DEV: Remove unused reverse encoding dicts (#3685)
• 84f5266 MAINT: Use placeholder-based approach for logger_error (#3673)
• 8f1f4aa REL: 6.9.0
• 5a9a0da BUG: Avoid sharing array-based content streams between pages (#3681)
• a3451e8 ENH: Expose /Perms verification result on Encryption object (#3672)
• 3a4e913 PI: Fix O(n²) performance in NameObject read/write (#3679)
• cf2e518 PI: Batch-parse all objects in ObjStm on first access (#3677)
• 2cfcd7e BUG: Avoid accessing invalid page when inserting blank page under some condit...
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates langgraph from 1.0.6 to 1.0.10rc1

Release notes

Sourced from langgraph's releases.

langgraph==1.0.10rc1

Changes since 1.0.9

• release: Candidate (#6947)
• Merge commit from fork
• chore: add tests to confirm expected subgraph persistence behavior (#6943)
• fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes numeric task segments (#6864)
• chore: add make type target for type checking (#6748)

langgraph==1.0.9

Changes since 1.0.8

• release: langgraph + prebuilt (#6875)
• fix: sequential interrupt handling w/ functional API (#6863)
• chore: state_updated_at sort by (#6857)
• chore: bump orjson (#6852)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/langgraph with 6 updates (#6815)
• chore(deps): bump protobuf from 6.33.4 to 6.33.5 in /libs/langgraph (#6833)
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /libs/langgraph (#6837)
• chore(deps): bump nbconvert from 7.16.6 to 7.17.0 in /libs/langgraph (#6832)
• chore: server runtime type (#6774)
• refactor: replace bare except with BaseException in AsyncQueue (#6765)

langgraph==1.0.8

Changes since 1.0.7

• release(langgraph): 1.0.8 (#6757)
• chore: shallow copy futures (#6755)
• fix: pydantic messages double streaming (#6753)
• chore(deps-dev): bump ruff from 0.14.7 to 0.14.11 in /libs/sdk-py (#6673)
• chore: Omit lock when using connection pool (#6734)
• docs: enhance Runtime and ToolRuntime class descriptions for clarity (#6689)
• docs: add clarity to use of thread_id (#6515)
• docs: add docstrings to add_node overloads (#6514)
• docs: update notebook links and add archival notices for examples (#6720)
• release(cli): 0.4.12 (#6716)

langgraph-prebuilt==1.0.8

Changes since prebuilt==1.0.7

• release: langgraph + prebuilt (#6875)
• fix: inject ToolRuntime for dynamically registered tools (#6874)
• chore: bump orjson (#6852)
• chore(deps): bump langchain-core from 1.2.12 to 1.2.13 in /libs/prebuilt in the all-dependencies group (#6849)
• chore: conformance testing (#6842)
• chore(deps): bump the all-dependencies group in /libs/prebuilt with 3 updates (#6810)
• chore: server runtime type (#6774)
• docs(prebuilt): update warning for create_react_agent (#6760)
• release(langgraph): 1.0.8 (#6757)

... (truncated)

Commits

• a04ec5d release: Candidate (#6947)
• 50df7d4 Merge commit from fork
• c4a4a46 chore: add tests to confirm expected subgraph persistence behavior (#6943)
• f178eb8 fix(langgraph): correct ParentCommand bubbling when checkpoint_ns includes nu...
• 48167d7 chore(deps): bump the all-dependencies group in /libs/cli with 2 updates (#6920)
• 806878a chore(deps): bump the all-dependencies group in /libs/checkpoint-postgres wit...
• 8087e6a docs(sdk-py): update auth docstrings to default-deny pattern (#6933)
• 8fbdb14 release(sdk-py): 0.3.9 (#6932)
• 5093802 chore(deps): bump the all-dependencies group in /libs/checkpoint with 2 updat...
• b89ef60 feat(sdk-py): add extract parameter to threads.search() (#6880)
• Additional commits viewable in compare view

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

• orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
• Drop support for Python 3.9.
• ABI compatibility with CPython 3.15 alpha 5.
• Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

• Fix sporadic crash serializing deeply nested list of dict.

Commits

• ec02024 3.11.6
• d581687 build, clippy misc
• 4105b29 writer::num
• 62bb185 Fix sporadic crash on serializing object close
• d860078 PyRef idiom refactors
• 343ae2f Deserializer, Utf8Buffer
• 7835f58 PyBytesRef and other input refactor
• 71e0516 PyStrRef
• 1096df4 MSRV 1.89
• b718e75 Drop support for python3.9
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

• Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
• Fixed OverflowError from oversized BER length field.
• Fixed DeprecationWarning stacklevel for deprecated attributes.
• Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field [issue #54](pyasn1/pyasn1#54) [pr #100](pyasn1/pyasn1#100)
• Fixed DeprecationWarning stacklevel for deprecated attributes [issue #86](pyasn1/pyasn1#86) [pr #101](pyasn1/pyasn1#101)
• Fixed asDateTime incorrect fractional seconds parsing [issue #81](pyasn1/pyasn1#81) [pr #102](pyasn1/pyasn1#102)

Commits

• af65c3b Prepare release 0.6.3
• 5a49bd1 Merge commit from fork
• 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
• 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
• d7cb42d Fix OverflowError from oversized BER length field (#100)
• See full diff in compare view

Updates pypdf from 6.7.4 to 6.9.1

Release notes

Sourced from pypdf's releases.

Version 6.9.1, 2026-03-17

What's new

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686) by @​stefan6419846

Full Changelog

Version 6.9.0, 2026-03-15

What's new

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672) by @​costajohnt

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679) by @​dmitry-kostin
• Batch-parse all objects in ObjStm on first access (#3677) by @​dmitry-kostin

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681) by @​stefan6419846
• Avoid accessing invalid page when inserting blank page under some conditions (#3529) by @​j-t-1

Full Changelog

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666) by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.9.1, 2026-03-17

Security (SEC)

• Improve performance and limit length of array-based content streams (#3686)

Full Changelog

Version 6.9.0, 2026-03-15

New Features (ENH)

• Expose /Perms verification result on Encryption object (#3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#3679)
• Batch-parse all objects in ObjStm on first access (#3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#3529)

Full Changelog

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Version 6.7.5, 2026-03-02

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Commits

• 0e5157c REL: 6.9.1
• 0b5d05d SEC: Improve performance and limit length of array-based content streams (#3686)
• 87aa1d4 DEV: Remove unused reverse encoding dicts (#3685)
• 84f5266 MAINT: Use placeholder-based approach for logger_error (#3673)
• 8f1f4aa REL: 6.9.0
• 5a9a0da BUG: Avoid sharing array-based content streams between pages (#3681)
• a3451e8 ENH: Expose /Perms verification result on Encryption object (#3672)
• 3a4e913 PI: Fix O(n²) performance in NameObject read/write (#3679)
• cf2e518 PI: Batch-parse all objects in ObjStm on first access (#3677)
• 2cfcd7e BUG: Avoid accessing invalid page when inserting blank page under some condit...
• Additional commits viewable in compare view

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

• Not using header's jwk automatically
• Add ES256K into default jwt algorithms
• Remove deprecated algorithm from default registry
• Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

• Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

• Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
• Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
• Stop support for Python 3.9, start support Python 3.14. :pr:850
• Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
• Fix expires_at=0 being incorrectly treated as None. :issue:530
• Allow ResourceProtector decorator to be used without parentheses. :issue:604
• Implement RFC9700 PKCE downgrade countermeasure.
• Set User-Agent header when fetching server metadata and JWKs. :issue:704
• RFC7523 accepts the issuer URL as a valid audience. :issue:730
• Fix InvalidTokenError extra attributes being wrapped instead of passed as individual key=value pairs in the WWW-Authenticate header. :pr:872

Upgrade Guide: :ref:joserfc_upgrade.

Commits

• 9266eaa chore: release 1.6.9
• b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
• 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
• 5be3c51 fix(jose): add ES256K into default jwt algorithms
• 48b345f fix(jose): remove deprecated algorithm from default registry
• a5d4b2d fix(jose): do not use header's jwk automatically
• a769f34 chore: release 1.6.8
• 84f3fa2 fix: add EdDSA to default jwt algorithms
• 38e872a chore: release 1.6.7
• b87c32e fix: remove "none" algorithm from default jwt instance
• See full diff in compare view

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

• Not using header's jwk automatically
• Add ES256K into default jwt algorithms
• Remove deprecated algorithm from default registry
• Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

• Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

• Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
• Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
• Stop support for Python 3.9, start support Python 3.14. :pr:850
• Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
• Fix expires_at=0 being incorrectly treated as None. :issue:530
• Allow ResourceProtector decorator to be used without parentheses. :issue:604
• Implement RFC9700 PKCE downgrade countermeasure.
• Set User-Agent header when fetching server metadata and JWKs. :issue:704
• RFC7523 accepts the issuer URL as a valid audience. :issue:730
• Fix InvalidTokenError extra attributes being wrapped instead of passed as individual key=value pairs in the WWW-Authenticate header. :pr:872

Upgrade Guide: :ref:joserfc_upgrade.

Commits

• 9266eaa chore: release 1.6.9
• b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
• 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
• 5be3c51 fix(jose): add ES256K into default jwt algorithms
• 48b345f fix(jose): remove deprecated algorithm from default registry
• a5d4b2d fix(jose): do not use header's jwk automatically
• a769f34 chore: release 1.6.8
• 84f3fa2 fix: add EdDSA to default jwt algorithms
• 38e872a chore: release 1.6.7
• b87c32e fix: remove "none" algorithm from default jwt instance
• See full diff in compare view

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

• Not using header's jwk automatically
• Add ES256K into default jwt algorithms
• Remove deprecated algorithm from default registry
• Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

• Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

• Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
• Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
• Stop support for Python 3.9, start support Python 3.14. :pr:850
• Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
• Fix expires_at=0 being incorrectly treated as None. :issue:530
• Allow ResourceProtector decorator to be used without parentheses. :issue:604
• Implement RFC9700 PKCE downgrade countermeasure.
• Set User-Agent header when fetching server metadata and JWKs. :issue:704
• RFC7523 accepts the issuer URL as a valid audience. :issue:730
• Fix InvalidTokenError extra attributes being wrapped instead of passed as individual key=value pairs in the WWW-Authenticate header. :pr:872

Upgrade Guide: :ref:joserfc_upgrade.

Commits

...

Description has been truncated