PyJWT.decode_complete() method changing provided options object

[akarev0]

PyJWT.decode_complete() method changing provided options object instead of working with copy or something similar

Expected Result

decode_jwt_options = {
            'verify_signature': False,
            'verify_aud': False,
        }

Actual Result

decode_jwt_options = {
           'verify_signature': False, 
           'verify_aud': False, 
           'verify_exp': False, 
           'verify_nbf': False, 
           'verify_iat': False, 
           'verify_iss': False
       }

Fragment from api_jwt.py

def decode_complete(
    self,
    jwt: str,
    key: str = "",
    algorithms: List[str] = None,
    options: Dict = None,
    **kwargs,
) -> Dict[str, Any]:

# overriding original object section start

    if options is None:
        options = {"verify_signature": True}
    else:
        options.setdefault("verify_signature", True)

    if not options["verify_signature"]:
        options.setdefault("verify_exp", False)
        options.setdefault("verify_nbf", False)
        options.setdefault("verify_iat", False)
        options.setdefault("verify_aud", False)
        options.setdefault("verify_iss", False)

# overriding original object section end

    if options["verify_signature"] and not algorithms:
        raise DecodeError(
            'It is required that you pass in a value for the "algorithms" argument when calling decode().'
        )

    decoded = api_jws.decode_complete(
        jwt,
        key=key,
        algorithms=algorithms,
        options=options,
        **kwargs,
    )

    try:
        payload = json.loads(decoded["payload"])
    except ValueError as e:
        raise DecodeError("Invalid payload string: %s" % e)
    if not isinstance(payload, dict):
        raise DecodeError("Invalid payload string: must be a json object")

    merged_options = {**self.options, **options}
    self._validate_claims(payload, merged_options, **kwargs)

    decoded["payload"] = payload
    return decoded

Reproduction Steps

import jwt

payload = {'some': 'payload'}
key = 'secret'
alg = 'HS256'
algs = ['RS256', 'HS256']
jwt_options = {
    'verify_signature': False,
    'verify_aud': False,
}

token = jwt.encode(payload=payload, key=key, algorithm=alg)
print(token)

decoded = jwt.decode(jwt=token, key=key, algorithms=algs, options=jwt_options)
print(jwt_options)}
print(decoded)

[vmaksimov-aim]

Such implementation breaks the "immutable development" approach.
From my point of view it is much better to work with your own options object based on incoming parameters instead of reusing kwarg and changing this object by link.
For example if I want to use immutable dict based on MappingProxyType I'll receive an error when this code will try to change my object