markomirosavljev
commented
2 months ago Hello, thank you for suggestions. I will work on updating library and resolving the issues.
Open YaraslauZhylko opened 2 months ago
markomirosavljev
commented
2 months ago Hello, thank you for suggestions. I will work on updating library and resolving the issues.
hardchor
commented
3 weeks ago Any luck with this @markomirosavljev? (thanks for the great library btw!)
markomirosavljev
commented
3 weeks ago Hi, did some work on this and I'll continue to work on it in the next days. I didn't had enough time to focus on this in the previous period.
mpetazzoni
commented
3 weeks ago Thanks again @markomirosavljev for your on this! Don't hesitate to ask for help from the community on reviews. I think several people (and organizations) are waiting on this to address a CVE 🙏🏻
markomirosavljev
commented
3 weeks ago Hey, released v2.5.0 just a few minutes ago. I did migration to joserfc and removed cognito_jwt completely. Code from that library is now partially included into this library. There should be no breaking changes, only some changes related to exception messages. If you notice anything suspicious or some inconsistencies, please notify me.
YaraslauZhylko
commented
2 weeks ago We've bumped the version to v2.5.0 in our codebase and things seem to work fine so far.
Only a few dots got added to the error messages, as you've mentioned.
Thanks for the update, @markomirosavljev!
fastapi-cognitodepends oncognitojwtthat depends onpython-josethat, in turn, depends onecdsa.ecdsahas a vulnurabilities that, seems like, are not going to be fixed (e.g.: GHSA-wj6h-64fc-37mp)python-joseitself hasn't had any releases for yearscognitojwtrepo has just been archived, so is basically not maintained as wellThat said, would it be worth switching to some modern and more maintained JWT library directly? Like joserfc or anything like it?