ajkavanagh
commented
9 years ago I don't disagree. I didn't have it pinned prior to the upgrade of PyJWT to 0.4.x and the transition from 0.2.x -> 0.4.x in PyJWT changed the API which broken pyramid_jwtauth. Once I'd sorted that out, I left it pinned at 0.4 whilst I was dealing with some other stuff. Thus, it's a good catch. I'll unpin it and and check it.
pyramid_jwtauth pins PyJWT to an old version. This has two problems: 1) pinning to an exact version makes it impossible to use another version in a deployment and should generally never be done in setup.py, and 2) this is especially bad here since PyJWT has a known security problem (see jpadilla/pyjwt#109 and jpadilla/pyjwt#110).