[FIX] Bump Authlib 1.2.1 -> 1.6.12 & PyMySQL 1.1.0 -> 1.1.1 (clear critical Dependabot alerts)#2041
[FIX] Bump Authlib 1.2.1 -> 1.6.12 & PyMySQL 1.1.0 -> 1.1.1 (clear critical Dependabot alerts)#2041jaseemjaskp wants to merge 1 commit into
Conversation
…abot) Both were hard-pinned, so this updates the pins plus the affected locks. - Authlib (backend/pyproject.toml): 1.2.1 -> 1.6.12 — clears the critical JWS JWK header-injection signature-verification bypass, plus OIDC fail-open, JWE RSA1_5 Bleichenbacher oracle, unknown-crit-header bypass, and oversized-JOSE DoS. 1.6.12 matches the version every other service in the monorepo already runs (no third Authlib version introduced). - PyMySQL (unstract/connectors/pyproject.toml): 1.1.0 -> 1.1.1 — clears the critical SQL injection alert; propagated to backend, workers and root locks (they get PyMySQL via unstract-connectors). Verified: backend, connectors, workers and root locks pass 'uv lock --check'; backend lock diff is Authlib + PyMySQL only (no transitive churn); PyMySQL 1.1.1 confirmed installed (uv pip show + pymysql.VERSION). Note: Authlib 1.2 -> 1.6 is a multi-minor jump touching the backend auth plugins — auth flows must be exercised in CI/staging. Local backend import is blocked by the unrelated django-celery-beat 2.5.0 wheel quirk.
Summary by CodeRabbit
WalkthroughTwo dependency version updates across separate project modules: Authlib upgraded from 1.2.1 to 1.6.12 in the backend, and PyMySQL upgraded from 1.1.0 to 1.1.1 in the connectors subsystem. ChangesDependency Version Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Unstract test resultsPer-group results
Critical paths
|
|
| Filename | Overview |
|---|---|
| backend/pyproject.toml | Authlib pin updated from 1.2.1 to 1.6.12; single-line change, correct version string |
| unstract/connectors/pyproject.toml | PyMySQL pin bumped from 1.1.0 to 1.1.1; single-line patch-level fix |
| backend/uv.lock | Lock updated for Authlib (1.2.1→1.6.12) and PyMySQL (1.1.0→1.1.1) with new PyPI hashes; no transitive package churn observed |
| unstract/connectors/uv.lock | PyMySQL hash swapped to 1.1.1 wheel and sdist; lock is consistent with the pin change |
| uv.lock | Root workspace lock updated for both Authlib and PyMySQL; changes are minimal and match expected bump |
| workers/uv.lock | Workers lock updated for PyMySQL 1.1.1; Authlib was already resolved to 1.6.12 in workers (no change needed there) |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["backend/pyproject.toml<br/>Authlib==1.6.12<br/>PyMySQL via connectors"] --> B["backend/uv.lock<br/>Authlib 1.2.1 → 1.6.12<br/>PyMySQL 1.1.0 → 1.1.1"]
C["unstract/connectors/pyproject.toml<br/>PyMySQL==1.1.1"] --> D["unstract/connectors/uv.lock<br/>PyMySQL 1.1.0 → 1.1.1"]
C --> E["workers/uv.lock<br/>PyMySQL 1.1.0 → 1.1.1"]
C --> F["uv.lock (root)<br/>Authlib 1.2.1 → 1.6.12<br/>PyMySQL 1.1.0 → 1.1.1"]
A --> F
B --> G["backend auth plugins<br/>authlib.integrations.django_client.OAuth<br/>Needs CI/staging auth flow test"]
D --> H["MySQL connectors<br/>patch bump — negligible risk"]
Reviews (1): Last reviewed commit: "[FIX] Bump Authlib 1.2.1 -> 1.6.12 and P..." | Re-trigger Greptile
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/pyproject.toml`:
- Line 16: You upgraded Authlib to 1.6.12 which crosses several breaking
changes; either pin the dependency to a safe tested version (e.g., maintain
1.2.x) or run and update our auth/OIDC/JWT codepaths: audit usages of
has_client_secret, request_invalid, token_revoked, ClientSecretJWT.sign,
InvalidGrantError handling, OpenIDImplicitGrant/OpenIDHybridGrant redirect_uri
behavior, any custom OAuth2AuthorizationCodeMixin code, and authlib.jose.jwt
JWE/JWT algorithm handling (and check Python 3.8 support), then update
callers/handlers and tests to match the new APIs before merging.
In `@unstract/connectors/pyproject.toml`:
- Line 42: Replace the pinned dependency string "PyMySQL==1.1.1" with the
current release "PyMySQL==1.2.0" in the project's pyproject.toml dependency list
to move to the latest patched version; update any lockfile or regenerate
dependencies (e.g., poetry lock / pip-compile) and run tests to ensure
compatibility with the bumped PyMySQL version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 333dd116-6685-468e-b889-77e66a13d338
⛔ Files ignored due to path filters (4)
backend/uv.lockis excluded by!**/*.lockunstract/connectors/uv.lockis excluded by!**/*.lockuv.lockis excluded by!**/*.lockworkers/uv.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
backend/pyproject.tomlunstract/connectors/pyproject.toml
|
|
||
| dependencies = [ | ||
| "Authlib==1.2.1", # For Auth plugins | ||
| "Authlib==1.6.12", # For Auth plugins |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Authlib changelog breaking changes from version 1.2.1 to 1.6.12 migration guide
💡 Result:
Authlib changelog “breaking changes” from 1.2.1 to 1.6.12 (migration guidance): 1) Versions 1.2.1 (2023-06-25): remove/behavior changes you may need to account for - Removed has_client_secret method and its documentation. [1][2] - Removed request_invalid and token_revoked remaining occurrences and documentation. [1][2] - ClientSecretJWT.sign now applies headers (via PR #552), which can affect how client secrets are signed. [1][2] - authorize_redirect fix for Starlette v0.26.0. [1][2] - grant uri params: “Allow falsy but non-None grant uri params” (PR #544) may change validation logic around grant URI parameters. [1][2] - Fixed RFC7591 grant_types and response_types default values. [1][2] 2) Authlib 1.6.x line: additional breaking changes called out in the changelog - Authlib 1.6.0 page exists and indicates there are “Breaking changes” sections between 1.x releases; use the changelog view to extract the specific items for the versions you are skipping. [3] - In the repo changelog file, Authlib 1.6.9 shows breaking changes including: a) Support for acr and amr claims in id_token, requiring a migration in OAuth2AuthorizationCodeMixin to support new fields. [4] b) Stop support for Python 3.8. [4] c) Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server (i.e., changed error behavior). [4] d) authlib.jose.jwt only works with JWS algorithms by default; to use JWT with JWE algorithms you must pass an algorithms parameter (example shown in changelog). [4] 3) 1.6.12 (2026-05-04): last-mile change in your target range - v1.6.12 fixes redirecting to an unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant. [5] 4) Most important “migration guide” aspect in this range: prepare for the jose -> joserfc migration Authlib’s upgrade material for the broader 1.x -> 2.0 transition highlights a major module migration: - There is an explicit “Upgrade Guide: joserfc migration.” link on the Authlib upgrades changelog pages. [6] - Authlib notes it will remove the authlib.jose module in 2.0.0, and to use joserfc instead (migration PR message). [7] Practical migration approach (how to apply the above): - Start by searching the Authlib stable changelog between exactly the versions you skip (1.2.1 -> 1.6.12) and copy the “Breaking changes” bullet points for each intermediate release that you’re not already on. The official changelog provides a full list of changes “between each Authlib release.” [1] - Specifically review for removed APIs: has_client_secret, and request_invalid/token_revoked documentation/occurrences. [1][2] - Specifically review for behavior changes around OAuth error handling and validation: InvalidGrantError changes and redirect_uri handling in 1.6.12. [4][5] - If you rely on id_token customization: ensure OAuth2AuthorizationCodeMixin migration for acr/amr support (1.6.9 breaking change). [4] - If your deployment still targets Python 3.8, this must change (1.6.9 breaking change). [4] - If you use authlib.jose JWT/JWE: pass algorithms explicitly to use JWE algorithms (1.6.9 breaking change). [4] - Plan for jose -> joserfc migration even though it’s not necessarily “breaking” for 1.6.12 itself; the project is actively documenting and moving away from authlib.jose. [6][7] If you want, paste your stack (OAuth2 vs OIDC, client vs server, frameworks, and which classes you use), and I’ll map the above breaking bullets to the most likely code changes in your app.
Citations:
- 1: https://docs.authlib.org/en/stable/changelog.html
- 2: https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst
- 3: https://docs.authlib.org/en/v1.6.0/changelog.html
- 4: https://github.com/lepture/authlib/blob/v1.6.9/docs/changelog.rst
- 5: https://github.com/authlib/authlib/releases/tag/v1.6.12
- 6: https://docs.authlib.org/en/v1.7.0/upgrades/changelog.html
- 7: Migration to joserfc authlib/authlib#852
Authlib 1.6.12 upgrade: changelog shows auth/OIDC/JWT breaking/behavior changes
Even though the security fix is important, the jump from Authlib 1.2.1 → 1.6.12 crosses multiple “breaking changes” in the 1.2.x–1.6.x line. Key items to validate for your auth plugins:
- Removed/changed APIs:
has_client_secret;request_invalid/token_revokedremnants;ClientSecretJWT.signbehavior now applies headers - OAuth/OIDC error/redirect behavior:
InvalidGrantErrorhandling changes; 1.6.12 redirect_uri validation fix onInvalidScopeErrorinOpenIDImplicitGrant/OpenIDHybridGrant - OIDC id_token claim support: 1.6.9 introduces
acr/amrsupport inid_token(may requireOAuth2AuthorizationCodeMixinmigration if you customize) - jose/JWT/JWE compatibility:
authlib.jose.jwtalgorithm handling changes (JWE may require passingalgorithms) - Environment constraints: 1.6.9 drops Python 3.8 support
- Also consider the broader documented
authlib.jose→joserfcmigration path
Run/confirm integration coverage for the specific auth/OIDC/JWT codepaths in this backend (redirect_uri handling, token/authorization flows, and any client secret/JWT/JWE logic) before relying on the change.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@backend/pyproject.toml` at line 16, You upgraded Authlib to 1.6.12 which
crosses several breaking changes; either pin the dependency to a safe tested
version (e.g., maintain 1.2.x) or run and update our auth/OIDC/JWT codepaths:
audit usages of has_client_secret, request_invalid, token_revoked,
ClientSecretJWT.sign, InvalidGrantError handling,
OpenIDImplicitGrant/OpenIDHybridGrant redirect_uri behavior, any custom
OAuth2AuthorizationCodeMixin code, and authlib.jose.jwt JWE/JWT algorithm
handling (and check Python 3.8 support), then update callers/handlers and tests
to match the new APIs before merging.
| "google-cloud-bigquery==3.11.4", # For Bigquery | ||
| "pymssql==2.3.4", # For MSSQL | ||
| "PyMySQL==1.1.0", # For MySQL | ||
| "PyMySQL==1.1.1", # For MySQL |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify PyMySQL version 1.1.1 is current and secure
# Check PyPI for the latest PyMySQL version
echo "=== Latest PyMySQL version on PyPI ==="
curl -s https://pypi.org/pypi/pymysql/json | jq -r '.info.version'
# Check for security advisories using GitHub CLI
echo -e "\n=== Security advisories for PyMySQL ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: PIP, package: "pymysql") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: Zipstack/unstract
Length of output: 1986
🌐 Web query:
PyPI latest version pymysql 1.1.1
💡 Result:
As of June 11, 2026, the latest version of PyMySQL on PyPI is 1.2.0, which was released on May 19, 2026 [1][2][3]. PyMySQL 1.1.1 was released on May 21, 2024 [4][5]. It is a historical version that included a fix for a security vulnerability (CVE-2024-36039), which addressed a potential SQL injection issue related to dict parameters in Cursor.execute() [5][6]. Users are encouraged to update to the latest available version (1.2.0) to ensure they have the most recent security patches and features [3].
Citations:
- 1: https://pypi.org/project/PyMySQL/
- 2: https://pypi.org/project/PyMySQL/1.2.0/
- 3: https://github.com/PyMySQL/PyMySQL/releases/tag/v1.2.0
- 4: https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
- 5: https://github.com/PyMySQL/PyMySQL/blob/main/CHANGELOG.md
- 6: https://newreleases.io/project/pypi/PyMySQL/release/1.1.1
🌐 Web query:
OSV or GitHub security advisories for pymysql affected versions
💡 Result:
The primary security advisory for PyMySQL is CVE-2024-36039, which is documented in the GitHub Advisory Database as GHSA-v9hf-5j83-6xpp [1][2]. Affected Versions All versions of PyMySQL up to and including 1.1.0 are affected by this vulnerability [3][2]. Patched Version The vulnerability was resolved in version 1.1.1 [4][5]. Users are strongly recommended to upgrade to version 1.1.1 or later to mitigate this risk [6][5]. Vulnerability Details The issue is an SQL injection vulnerability (CWE-89) [3][2]. It occurs because the library's escape_dict function does not properly escape dictionary keys when processing untrusted JSON input, potentially allowing an attacker to execute arbitrary SQL commands [2][7]. In version 1.1.1, the maintainers addressed this by prohibiting the use of dictionary parameters in the Cursor.execute method, as this usage pattern did not produce valid SQL and introduced the injection risk [6][4][5]. If an immediate upgrade is not possible, maintainers recommend ensuring that any input from untrusted sources is strictly validated to have the expected type, as dictionary inputs are the primary attack vector [6][8][5].
Citations:
- 1: https://github.com/advisories/GHSA-v9hf-5j83-6xpp/dependabot
- 2: GHSA-v9hf-5j83-6xpp
- 3: https://nvd.nist.gov/vuln/detail/cve-2024-36039
- 4: PyMySQL/PyMySQL@2cab9ec
- 5: https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1
- 6: https://github.com/PyMySQL/PyMySQL/blob/main/CHANGELOG.md
- 7: https://security.snyk.io/vuln/SNYK-PYTHON-PYMYSQL-6968882
- 8: v1.1.1 PyMySQL/PyMySQL#1171
Update PyMySQL pin: 1.1.1 is patched but not latest (as of 2026-06-11).
PyMySQL==1.1.1fixes the SQL-injection issue forCVE-2024-36039/GHSA-v9hf-5j83-6xpp(affected through 1.1.0), so the security intent of the bump is correct.- PyPI latest is
PyMySQL==1.2.0(released 2026-05-19), so consider bumping from1.1.1→1.2.0to stay current with any additional patches.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@unstract/connectors/pyproject.toml` at line 42, Replace the pinned dependency
string "PyMySQL==1.1.1" with the current release "PyMySQL==1.2.0" in the
project's pyproject.toml dependency list to move to the latest patched version;
update any lockfile or regenerate dependencies (e.g., poetry lock / pip-compile)
and run tests to ensure compatibility with the bumped PyMySQL version.
What
Bumps two hard-pinned Python packages to clear their critical Dependabot alerts:
1.2.1 → 1.6.12(backend/pyproject.toml)1.1.0 → 1.1.1(unstract/connectors/pyproject.toml)Re-locks the affected workspaces:
backend/uv.lock,unstract/connectors/uv.lock,workers/uv.lock,uv.lock.Why
crit-header bypass, and oversized-JOSE DoS. Notably, backend was the only place still on 1.2.1 — every other service in the monorepo already runs 1.6.12, so this just brings backend in line (no new Authlib version introduced).connectors, but appears (viaunstract-connectors) in the backend/workers/root locks too — bumping the connectors pin propagates to all of them.How
uv lock --upgrade-packageforauthlib/pymysqlacrossbackend,connectors,workers, and the root workspace.Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
PyMySQL is a patch bump (1.1.0 → 1.1.1) — negligible risk.
Authlib 1.2 → 1.6 is the one to watch. It's a multi-minor jump and backend's auth plugins import Authlib directly, so JWS/JWT/OIDC behaviour could shift. Mitigating factors:
uv lock --check.👉 Reviewers: please exercise the auth flows (login/OAuth/JWT) in CI/staging before merge — a local backend import smoke-test could not be run (backend env creation is blocked by an unrelated, pre-existing
django-celery-beat==2.5.0wheel packaging quirk thatuvrejects).Database Migrations
None.
Env Config
None.
Relevant Docs
Authlib changelog
Related Issues or PRs
Dependabot remediation series — follows #2038 (frontend), #2039 (Python transitive), #2040 (Django).
Dependencies Versions
Authlib 1.2.1 → 1.6.12 · PyMySQL 1.1.0 → 1.1.1
Notes on Testing
uv lock --checkon backend / connectors / workers / root ✓uv pip show+pymysql.VERSION(1,1,1,'final',1)).Screenshots
N/A — dependency bump.
Checklist
I have read and understood the Contribution Guidelines.