chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/opencode_env#780
chore(deps): bump authlib from 1.7.0 to 1.7.1 in /envs/opencode_env#780dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [authlib](https://github.com/authlib/authlib) from 1.7.0 to 1.7.1. - [Release notes](https://github.com/authlib/authlib/releases) - [Commits](authlib/authlib@v1.7.0...1.7.1) --- updated-dependencies: - dependency-name: authlib dependency-version: 1.7.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Dependencies
python:uv
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Verdict: Approve ✅
Two-tier review of this Dependabot lockfile bump (envs/opencode_env/uv.lock, +9/-9).
Tier 1 — Bugs / correctness / lint
No issues.
- authlib 1.7.0 → 1.7.1 is a patch bump: fixes a
joserfcdeprecation warning and (security-relevant) fixes redirecting to an unvalidatedredirect_urionInvalidScopeErrorin the OIDC implicit/hybrid grants. sdist/wheel hashes are updated consistently. - The lock also shows
openenv-core 0.3.0 → openenv 0.3.1(package name +requires-dist). I verified thatenvs/opencode_env/pyproject.tomlat this PR head already declaresopenenv[core]>=0.3.0— so this is simply Dependabot regenerating a stale lockfile into coherence with the already-migrated manifest, not a hidden rename migration. The lock is internally coherent and installable.
Tier 2 — Alignment with OpenEnv principles
No concerns. Lockfile-only dependency maintenance; no source, no API boundary, no invariants affected.
Routine, safe bump — carries a minor upstream security fix as a bonus.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Tier 1 — Bugs & Lint
No issues. Lockfile-only change with valid hashes.
The authlib 1.7.0 → 1.7.1 bump is worth taking: 1.7.1 fixes redirecting to an unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant/OpenIDHybridGrant (security-relevant), plus a joserfc deprecation-warning fix.
Note — the bundled openenv-core → openenv lock change is correct, not scope creep
This PR also rewrites the locked core package from openenv-core 0.3.0 to openenv 0.3.1. I verified this is intended and beneficial:
envs/opencode_env/pyproject.tomlonmainalready declaresopenenv[core]>=0.3.0(the renamed package).- The committed
uv.lockonmainwas stale, still pinning the oldopenenv-corename. - Dependabot's re-lock brings the lockfile in line with what
pyproject.tomlalready requires (the core package was renamedopenenv-core→openenvon PyPI).
So this PR incidentally fixes a pre-existing lock/manifest inconsistency in addition to the authlib bump.
Tier 2 — Alignment
No concerns.
Verdict: approve ✅
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review (Tier 1 + Tier 2)
Tier 1 — mechanical: The authlib bump itself is clean. 1.7.0 → 1.7.1: sdist URL, wheel URL, both sha256 hashes, and sizes all change consistently. No partial/mismatched hashes, no other unexpected churn in the authlib entry.
Tier 2 — alignment flag (non-blocking, for a human):
This lockfile diff also silently carries a core-SDK package rename: openenv-core 0.3.0 → openenv 0.3.1, including the requires-dist/dependency entries (openenv-core[core] → openenv[core]). That is unrelated to the authlib bump named in the PR title — it's a side-effect of uv lock regenerating against the current opencode_env/pyproject.toml.
Before merging, please confirm:
- The rename to the
openenvPyPI package (0.3.1) is intentional andopencode_envis meant to track it. - Whether the rest of the repo should be migrated in a coordinated change so the core-SDK package name stays consistent across environments.
If the rename is expected, this is fine to merge — just calling it out so a maintainer signs off on the SDK identity change rather than it landing inside a dependency bump. No action needed from Dependabot.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Tier 1 (correctness): The authlib 1.7.0 → 1.7.1 bump itself is a clean patch release (version, sdist, and wheel hashes updated; dependencies unchanged) and low-risk.
However, the diff is not limited to authlib. The same uv.lock update also renames the core package from openenv-core to openenv and bumps it 0.3.0 → 0.3.1 (new PyPI URLs/hashes, plus the requires-dist reference in opencode_env rewritten openenv-core → openenv). This is uv lock picking up the upstream PyPI package rename — unrelated to the authlib bump described in the title.
Tier 2 (alignment): Surfacing for awareness rather than blocking — if the openenv-core → openenv rename is the intended/planned change, please confirm so reviewers know the extra lockfile churn is expected. If it was incidental, consider regenerating the lock from a clean base so the PR matches its stated scope.
Verdict: comment.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
Alignment Review (automated)
Tier 1 (bugs/lint): None. The authlib 1.7.0 -> 1.7.1 bump is a clean patch release; lockfile hashes/URLs are consistent.
Tier 2 (alignment): One point for human attention. Beyond the authlib bump, this uv.lock regeneration also silently changes the core dependency from openenv-core 0.3.0 to openenv 0.3.1 (a package rename + minor version increment) — not mentioned in the Dependabot title/body. Other env lockfiles in the repo (e.g. echo_env, browsergym_env, connect4_env) still reference openenv-core, and the root pyproject.toml still declares name = "openenv-core", so opencode_env becomes the only env on the renamed package. If the openenv-core -> openenv migration is intentional, it should be applied consistently across the monorepo as a coordinated change rather than picked up incidentally in one Dependabot lockfile bump. Flagging for a maintainer to confirm intent.
Automated review by Claude Code | Learn more
Darktex
left a comment
Darktex
left a comment
There was a problem hiding this comment.
Note: This is an automated review by Claude Code, not a human review.
This PR is titled as an authlib 1.7.0 → 1.7.1 bump, but the regenerated envs/opencode_env/uv.lock actually carries two changes. Both are internally consistent, but the title understates the scope — flagging for a human to confirm the second one is intended.
Tier 1 (correctness):
- authlib bump — clean: version + sdist (sha256
8c09b0f9…, size 175884) + wheel (sha2568470f4aa…, size 258826) all updated together, no stale hashes. - Core package rename — the locked core dependency changes from
openenv-core0.3.0toopenenv0.3.1. All three references update together: the[[package]]block (name/version/URLs/hashes), thedependenciesentry, and therequires-distentry (now{ name = "openenv", extras = ["core"], specifier = ">=0.3.0" }). The>=0.3.0specifier is satisfied by0.3.1, so the file is self-consistent.
Tier 2 (alignment) — needs a human decision:
A grep across envs/*/uv.lock shows opencode_env would become the only env referencing the openenv package name; ~30 sibling envs still lock openenv-core (0.2.1–0.3.0). This looks like a side effect of dependabot re-resolving against PyPI, where the core package appears to have been republished as openenv 0.3.1. Before merging, please confirm:
openenv-corewas intentionally renamed/republished toopenenvon PyPI;envs/opencode_env/pyproject.tomlalready declaresopenenv(notopenenv-core) — otherwise the lockfile would be out of sync with the manifest;- there's a plan to migrate sibling lockfiles, so the fleet doesn't silently split across two package names.
The authlib bump itself is safe. Holding at comment rather than approve because the embedded rename, while internally consistent, is an untracked ecosystem change that warrants a maintainer's confirmation.
Automated review by Claude Code | Learn more
1 participant
Bumps authlib from 1.7.0 to 1.7.1.
Release notes
Sourced from authlib's releases.
Commits
485016achore: bump to 1.7.17b4ecd7fix: redirecting to unvalidated redirect_uri on InvalidScopeError in OIDC grantsc304a21Merge pull request #881 from azmeuk/880-deprecation-warnings4165adafix: authlib.jose deprecation warning poping from _joserfc_helpersDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.