-
-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(refactor): python-jose is removed from project.optional-dependency. #3549
base: main
Are you sure you want to change the base?
chore(refactor): python-jose is removed from project.optional-dependency. #3549
Conversation
in security, the tokens' encode and decode now uses pyjwt.
Thanks @Squidtyper, this is a welcome change! |
Yes. We are eliminating the use of python-jose in our own code and we think litestar is better off with pyjwt as well. It's my first time contributing. I see there are some errors. |
before merging this, I would like to evaluate this library instead of |
joserfc and the authlib project as a whole are certainly interesting, but it seems to me that pyjwt is the better option right now. We can start with Snyk Advisor scores of 79 for joserfc vs 91 for pyjwt which also shows more consistent commit activity for the last 2 years for pyjwt. Pyjwt is simply a much more popular package right now, which suggests it's more likely to have some longevity, it has far more contributors, and thus far more eyes on it for future security issues. The authlib project is interesting, in that they've built a small company around the auth code they've built, but looking at the activity graph of their github suggests that they haven't been very active in this for a while, so it may be a dying effort. However, either of these packages would be an improvement over Ref: jpadilla/pyjwt#942 |
I agree. |
Agree with this. So that we don't get bogged down without a fix, I'm inclined to go with this change. It can be revisited should there be a need. |
in security, the tokens' encode and decode now uses pyjwt.
Description
Closes