CVE-2022-3602 and CVE-2022-3786 fixes in cryptography 38.0.3

[lahirumaramba]

Hey folks,

You probably have already looked into this, but since I couldn't find any closed issues on this I decided to create this as more of an FYI.

cryptography package was affected by CVE-2022-3602 and CVE-2022-3786 and they have addressed the issue in the v38.0.3 release.

Since pyjwt is not pointing to a specific version of cryptography, installing pyjwt[crypto] pulls in the latest version of cryptography. So I think the risk here is minimal. Just wanted to let you know anyway. Do you think it is worth updating the minimum version of cryptography in dependencies? https://github.com/jpadilla/pyjwt/blob/300348f7bc4a520448b8fbefa525c9434e82141d/setup.cfg#L48

[akx]

Probably not relevant to change here – chances are some downstream user of PyJWT will want to use it with a Python version that's e.g. no longer supported by Cryptography 38, so pinning it here would make installing pyjwt[crypto] impossible for those users.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days