I've recently noticed this security vulnerability cropping up across a couple of repositories, that in itself seems to be a dependency of python-jose.
I see there's this mitigation in place already for the repository, but this doesn't automatically get applied to downstream packages that include the destiny SDK as a dependency.
Since it looks like python-jose has been abandoned (no updates since May 2025) and there's no response to the PR intended to fix this issue, I wondered if we'd be able to switch over to pyjwt for the repository? This is already included as a downstream dependency from msal, and from a quick skim it seems at least possible to migrate to from python-jose.
Happy to take a time-boxed run at this myself if there's consensus that it's worth pursuing.
I've recently noticed this security vulnerability cropping up across a couple of repositories, that in itself seems to be a dependency of
python-jose.I see there's this mitigation in place already for the repository, but this doesn't automatically get applied to downstream packages that include the destiny SDK as a dependency.
Since it looks like python-jose has been abandoned (no updates since May 2025) and there's no response to the PR intended to fix this issue, I wondered if we'd be able to switch over to pyjwt for the repository? This is already included as a downstream dependency from
msal, and from a quick skim it seems at least possible to migrate to frompython-jose.Happy to take a time-boxed run at this myself if there's consensus that it's worth pursuing.