Python: Bump authlib from 1.6.11 to 1.6.12 in /python#14004
Python: Bump authlib from 1.6.11 to 1.6.12 in /python#14004dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [authlib](https://github.com/authlib/authlib) from 1.6.11 to 1.6.12. - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/1.6.12/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.11...1.6.12) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.6.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
github-actions
Bot
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 61%
✓ Correctness
This is a straightforward Dependabot security patch bumping authlib from 1.6.11 to 1.6.12 in the uv.lock file. The authlib update fixes a security issue (redirecting to unvalidated redirect_uri on InvalidScopeError). The lock file also reflects updated version ranges for boto3, google-genai, mistralai, and pydantic which are consistent with the pyproject.toml declarations. No correctness issues found.
✓ Security Reliability
This is a straightforward Dependabot security update bumping authlib from 1.6.11 to 1.6.12 in the uv.lock file. The new version fixes a security vulnerability involving unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant. The lock file correctly includes updated hashes from PyPI. The other changes in the requires-dist section (boto3, google-genai, mistralai, pydantic upper bounds) reflect what is already specified in pyproject.toml and are just the result of lock file regeneration. No security or reliability concerns with this change.
✓ Test Coverage
This PR is a Dependabot security bump of authlib from 1.6.11 to 1.6.12 (fixing an unvalidated redirect_uri issue). The change is confined entirely to python/uv.lock with no source code modifications. authlib is not directly imported anywhere in the Python source (it's a transitive dependency), so no new tests are warranted. The existing test suite serves as the compatibility check for this lock file update. The additional version range widenings (boto3, google-genai, mistralai, pydantic) are also lock-file-only constraint updates requiring no new test coverage.
✗ Design Approach
This lockfile bump does update the repo’s
uv syncenvironment, but it does not address the published dependency surface that users install from.authlibis only present transitively throughweaviate-client, and the package metadata/docs still expose installs viapip install semantic-kernel[...], so consumers of theweaviateextra can still resolve an olderauthliboutside this lockfile.
Flagged Issues
- The lockfile-only bump does not protect package consumers.
authlibis a transitive dependency ofweaviate-clientand is not declared inpyproject.toml. Since users install viapip install semantic-kernel[weaviate](perpython/README.md:20-23), they can still resolve a vulnerableauthlibversion. If the goal is to fix the shipped dependency surface, a lower-bound constraint onauthlib>=1.6.12should be added topyproject.toml, not justuv.lock.
Automated review by dependabot[bot]'s agents
| [[package]] | ||
| name = "authlib" | ||
| version = "1.6.11" | ||
| version = "1.6.12" |
There was a problem hiding this comment.
This only updates the repo-local lockfile. authlib is not part of the published project metadata — it enters the dependency graph transitively via weaviate-client>=4.17.0,<5.0 (python/pyproject.toml:155-157). Users installing with pip install semantic-kernel[weaviate] can still resolve an older authlib. If this PR is meant to remediate the vulnerability for consumers, add authlib>=1.6.12 as an explicit constraint in pyproject.toml.
Bumps authlib from 1.6.11 to 1.6.12.
Release notes
Sourced from authlib's releases.
Changelog
Sourced from authlib's changelog.
Commits
e46e515chore: bump to 1.6.129babc13fix: redirecting to unvalidated redirect_uri on InvalidScopeError in OIDC grantsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.