e772877996
Update python-jose from 3.3.0 to 3.5.0 to fix: - CVE-2024-33663: Algorithm confusion with ECDSA keys (High) - CVE-2024-33664: JWT bomb DoS via high compression ratio (High) Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack) - No fix available (maintainer considers side-channel attacks out of scope) - Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing All 189 tests pass. npm audit: 0 vulnerabilities. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
449 B
449 B