Unmaintained dependency python-jose

[estyrke]

Moto with extra cognitoidp depends on python-jose, which in turn depends on ecdsa, which in turn was flagged by dependabot: GHSA-wj6h-64fc-37mp

It doesn't seem like there will be a fix in python-ecdsa and python-jose hasn't had any releases for years, so I am wondering if it is possible to replace python-jose with joserfc or something similar? I could try to make a PR if it sounds reasonable. :)

[bblommers]

Hi @estyrke, that makes sense - looks like joserfc is indeed a much more active library.

PR's are always welcome! Please base any work on this on the v5 branch, as this change is unlikely to make it into a v4 release.

Let me know if you need any help with that.

[bblommers]

Please base any work on this on the v5 branch, as this change is unlikely to make it into a v4 release.

Actually - this branch has already been merged into master, so you can just base it off of that as normal.

[seanmerrifield]

Also just noticed this issue and it's failing our vulnerability scans. Would be great if we can remove the ecdsa dependency

[estyrke]

Turns out that ecdsa is pulled in through more dependencies than just python-jose. I have a PR in the works, but it got a bit more complex than expected...

[estyrke]

Thanks for picking up the slack @bblommers ! I haven't had much spare time lately. 😅

[bblommers]

No problem @estyrke! The ecdsa dependency has been removed in Moto 5.0.2, just released.