[FIX] Bump Authlib 1.2.1 -> 1.6.12 & PyMySQL 1.1.0 -> 1.1.1 (clear critical Dependabot alerts)#2041
Merged
jaseemjaskp merged 3 commits intoJun 18, 2026
mainZipstack/unstract:mainfrom
fix/dependabot-authlib-pymysqlZipstack/unstract:fix/dependabot-authlib-pymysqlCopy head branch name to clipboard
Merged
[FIX] Bump Authlib 1.2.1 -> 1.6.12 & PyMySQL 1.1.0 -> 1.1.1 (clear critical Dependabot alerts)#2041jaseemjaskp merged 3 commits intomainZipstack/unstract:mainfrom fix/dependabot-authlib-pymysqlZipstack/unstract:fix/dependabot-authlib-pymysqlCopy head branch name to clipboard
jaseemjaskp merged 3 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-authlib-pymysqlZipstack/unstract:fix/dependabot-authlib-pymysqlCopy head branch name to clipboard
Conversation
…abot) Both were hard-pinned, so this updates the pins plus the affected locks. - Authlib (backend/pyproject.toml): 1.2.1 -> 1.6.12 — clears the critical JWS JWK header-injection signature-verification bypass, plus OIDC fail-open, JWE RSA1_5 Bleichenbacher oracle, unknown-crit-header bypass, and oversized-JOSE DoS. 1.6.12 matches the version every other service in the monorepo already runs (no third Authlib version introduced). - PyMySQL (unstract/connectors/pyproject.toml): 1.1.0 -> 1.1.1 — clears the critical SQL injection alert; propagated to backend, workers and root locks (they get PyMySQL via unstract-connectors). Verified: backend, connectors, workers and root locks pass 'uv lock --check'; backend lock diff is Authlib + PyMySQL only (no transitive churn); PyMySQL 1.1.1 confirmed installed (uv pip show + pymysql.VERSION). Note: Authlib 1.2 -> 1.6 is a multi-minor jump touching the backend auth plugins — auth flows must be exercised in CI/staging. Local backend import is blocked by the unrelated django-celery-beat 2.5.0 wheel quirk.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughTwo dependency version updates across separate project modules: Authlib upgraded from 1.2.1 to 1.6.12 in the backend, and PyMySQL upgraded from 1.1.0 to 1.1.1 in the connectors subsystem. ChangesDependency Version Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
| Filename | Overview |
|---|---|
| backend/pyproject.toml | Authlib pin bumped from 1.2.1 to 1.6.12 to clear critical Dependabot alerts; single-line change, correct. |
| unstract/connectors/pyproject.toml | PyMySQL pin bumped from 1.1.0 to 1.1.1 (patch bump, SQL-injection fix); single-line change, correct. |
| backend/uv.lock | Lock updated for Authlib 1.6.12 and PyMySQL 1.1.1; diff shows only 16 lines changed with no transitive churn. |
| unstract/connectors/uv.lock | Lock re-pinned for PyMySQL 1.1.1; 8-line diff, no unexpected transitive updates. |
| uv.lock | Root workspace lock re-pinned for PyMySQL 1.1.1 propagated from connectors; 8-line diff, no transitive churn. |
| workers/uv.lock | Workers lock re-pinned for PyMySQL 1.1.1; 8-line diff, no transitive churn. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[unstract/connectors/pyproject.toml\nPyMySQL 1.1.0 → 1.1.1] --> B[unstract/connectors/uv.lock]
A --> C[backend/uv.lock\nvia unstract-connectors]
A --> D[workers/uv.lock\nvia unstract-connectors]
A --> E[uv.lock\nroot workspace]
F[backend/pyproject.toml\nAuthlib 1.2.1 → 1.6.12] --> C
B --> G{uv lock --check ✓}
C --> G
D --> G
E --> G
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A[unstract/connectors/pyproject.toml\nPyMySQL 1.1.0 → 1.1.1] --> B[unstract/connectors/uv.lock]
A --> C[backend/uv.lock\nvia unstract-connectors]
A --> D[workers/uv.lock\nvia unstract-connectors]
A --> E[uv.lock\nroot workspace]
F[backend/pyproject.toml\nAuthlib 1.2.1 → 1.6.12] --> C
B --> G{uv lock --check ✓}
C --> G
D --> G
E --> G
Reviews (3): Last reviewed commit: "Merge branch 'main' into fix/dependabot-..." | Re-trigger Greptile
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/pyproject.toml`:
- Line 16: You upgraded Authlib to 1.6.12 which crosses several breaking
changes; either pin the dependency to a safe tested version (e.g., maintain
1.2.x) or run and update our auth/OIDC/JWT codepaths: audit usages of
has_client_secret, request_invalid, token_revoked, ClientSecretJWT.sign,
InvalidGrantError handling, OpenIDImplicitGrant/OpenIDHybridGrant redirect_uri
behavior, any custom OAuth2AuthorizationCodeMixin code, and authlib.jose.jwt
JWE/JWT algorithm handling (and check Python 3.8 support), then update
callers/handlers and tests to match the new APIs before merging.
In `@unstract/connectors/pyproject.toml`:
- Line 42: Replace the pinned dependency string "PyMySQL==1.1.1" with the
current release "PyMySQL==1.2.0" in the project's pyproject.toml dependency list
to move to the latest patched version; update any lockfile or regenerate
dependencies (e.g., poetry lock / pip-compile) and run tests to ensure
compatibility with the bumped PyMySQL version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 333dd116-6685-468e-b889-77e66a13d338
⛔ Files ignored due to path filters (4)
backend/uv.lockis excluded by!**/*.lockunstract/connectors/uv.lockis excluded by!**/*.lockuv.lockis excluded by!**/*.lockworkers/uv.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
backend/pyproject.tomlunstract/connectors/pyproject.toml
jaseemjaskp
commented
Jun 18, 2026
jaseemjaskp
left a comment
Contributor
Author
There was a problem hiding this comment.
Automated dependency-review pass (PR Review Toolkit). The PR surface is dependency-version bumps + regenerated lock files only — no application code — so the code-quality/type/test/comment agents have no surface to analyze. One additive note below; the existing CodeRabbit notes on the Authlib and PyMySQL breaking-change concerns stand and are not duplicated here.
|
Contributor
Unstract test resultsPer-group results
Critical paths
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps two hard-pinned Python packages to clear their critical Dependabot alerts:
1.2.1 → 1.6.12(backend/pyproject.toml)1.1.0 → 1.1.1(unstract/connectors/pyproject.toml)Re-locks the affected workspaces:
backend/uv.lock,unstract/connectors/uv.lock,workers/uv.lock,uv.lock.Why
crit-header bypass, and oversized-JOSE DoS. Notably, backend was the only place still on 1.2.1 — every other service in the monorepo already runs 1.6.12, so this just brings backend in line (no new Authlib version introduced).connectors, but appears (viaunstract-connectors) in the backend/workers/root locks too — bumping the connectors pin propagates to all of them.How
uv lock --upgrade-packageforauthlib/pymysqlacrossbackend,connectors,workers, and the root workspace.Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
PyMySQL is a patch bump (1.1.0 → 1.1.1) — negligible risk.
Authlib 1.2 → 1.6 is the one to watch. It's a multi-minor jump and backend's auth plugins import Authlib directly, so JWS/JWT/OIDC behaviour could shift. Mitigating factors:
uv lock --check.👉 Reviewers: please exercise the auth flows (login/OAuth/JWT) in CI/staging before merge — a local backend import smoke-test could not be run (backend env creation is blocked by an unrelated, pre-existing
django-celery-beat==2.5.0wheel packaging quirk thatuvrejects).Database Migrations
None.
Env Config
None.
Relevant Docs
Authlib changelog
Related Issues or PRs
Dependabot remediation series — follows #2038 (frontend), #2039 (Python transitive), #2040 (Django).
Dependencies Versions
Authlib 1.2.1 → 1.6.12 · PyMySQL 1.1.0 → 1.1.1
Notes on Testing
uv lock --checkon backend / connectors / workers / root ✓uv pip show+pymysql.VERSION(1,1,1,'final',1)).Screenshots
N/A — dependency bump.
Checklist
I have read and understood the Contribution Guidelines.