web-push-libs
PyPI packages (1.14.1, 2.1.0) missing SECP256R1 curve fix from commit 7bb3b19
Bug Description: The PyPI-published versions of pywebpush (1.14.1 and 2.1.0) contain a bug that causes TypeError: curve must be an EllipticCurve instance when used with cryptography >= 40.x.
Root Cause: In pywebpush/init.py, the code calls: server_key = ec.generate_private_key(ec.SECP256R1, default_backend())
This should be: server_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
Status in Git vs PyPI:
- ✅ GitHub repo (commit 7bb3b19, Jan 24 2024): HAS THE FIX
- ✅ Git tags 2.0.0, 2.0.1, 2.1.0: HAVE THE FIX
- ❌ PyPI pywebpush==1.14.1: HAS THE BUG
- ❌ PyPI pywebpush==2.1.0: HAS THE BUG
Impact: This breaks web push notifications for anyone using modern cryptography library versions (46.x+), which is the current latest.
Error Stacktrace: TypeError: curve must be an EllipticCurve instance File "pywebpush/init.py", line 203, in encode server_key = ec.generate_private_key(ec.SECP256R1, default_backend())
Reproduction: pip install pywebpush==2.1.0 cryptography==46.0.2 python3 -c "from pywebpush import webpush; webpush(...)" # Fails
Request: Could you please rebuild and republish the PyPI packages for versions 2.0.1 and 2.1.0 from their respective git tags? This would resolve the issue for all users.
Workaround (for users): Install from git directly: pip install git+https://github.com/web-push-libs/[email protected]
Environment:
- pywebpush: 2.1.0 (from PyPI)
- cryptography: 46.0.2
- Python: 3.10
