ENG-3019: Bump PyJWT to ~=2.12.0

[erosselli]

Ticket ENG-3019

Description Of Changes

Bumps PyJWT from ~=2.10.0 (resolved 2.10.1) to ~=2.12.0 (resolved 2.12.1) to address CVE-2026-32597 (missing crit header validation). No code changes needed — the jwt.decode() and jwt.encode() APIs are unchanged.

Code Changes

• Widened PyJWT~=2.10.0 → PyJWT~=2.12.0 in pyproject.toml
• Regenerated uv.lock

Steps to Confirm

1. CI passes — only 2 PyJWT usage sites (DRP endpoint decode, DoorDash encode), neither uses crit headers

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 20, 2026 7:27pm
fides-privacy-center	Ignored		Mar 20, 2026 7:27pm

[greptile-apps]

Greptile Summary

This PR is a focused security dependency bump that upgrades PyJWT from ~=2.10.0 (resolved 2.10.1) to ~=2.12.0 (resolved 2.12.1) in order to address CVE-2026-32597, which involves missing crit header validation in JWT decoding. The change is minimal and low-risk — only pyproject.toml and the regenerated uv.lock are touched, with no application code changes required.

• pyproject.toml: Version specifier widened from ~=2.10.0 → ~=2.12.0; resolves to 2.12.1 in the lock file
• uv.lock: Regenerated with updated sdist/wheel URLs and hashes for PyJWT 2.12.1
• changelog/7718-bump-pyjwt.yaml: Changelog entry added under the Security type; the description references 2.12.0 but the installed version is 2.12.1 (minor inaccuracy)

Confidence Score: 5/5

• This PR is safe to merge — it is a minimal, targeted security patch with no application code changes.
• The change is limited to bumping one dependency to a compatible patch release (~=2.12.0 → 2.12.1) to resolve a disclosed CVE. The jwt.decode() / jwt.encode() APIs are unchanged between versions, and neither of the two call sites in the codebase use crit headers. The only minor finding is a cosmetic inaccuracy in the changelog description (says 2.12.0, installed version is 2.12.1).
• No files require special attention.

Important Files Changed

Filename	Overview
changelog/7718-bump-pyjwt.yaml	New changelog entry for the security fix; description references version 2.12.0 but the lock file resolves to 2.12.1.
pyproject.toml	PyJWT specifier correctly widened from ~=2.10.0 to ~=2.12.0 to pick up the CVE fix; no other changes.
uv.lock	Lock file regenerated correctly, resolving PyJWT to 2.12.1 with updated sdist and wheel hashes.

_{Last reviewed commit: "Add changelog for PR..."}

[greptile-apps]

Changelog description references wrong version

The description says "Bumped PyJWT to 2.12.0" but the actual installed version per uv.lock is 2.12.1. The ~=2.12.0 specifier resolves to the latest compatible patch release, which is 2.12.1. Consider updating the description to accurately reflect what gets installed.

Suggested change

	description: Bumped PyJWT to 2.12.0 (CVE-2026-32597)
	description: Bumped PyJWT to 2.12.1 (CVE-2026-32597)

[JadeCara]

🚢