chore(deps): bump authlib from 1.6.9 to 1.6.11

[dependabot]

Bumps authlib from 1.6.9 to 1.6.11.

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

v1.6.10

Full Changelog: authlib/authlib@v1.6.9...v1.6.10

• Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Version 1.6.10

Released on Apr 13, 2026

• Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

Commits

• 0dc0e5b chore: bump to 1.6.11
• aa7b8e4 Merge commit from fork
• 401a770 fix: CSRF issue with starlette client
• ef09aeb chore: release 1.6.10
• 3be0846 fix: redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Lockfile-only patch update; behavior changes are limited to the upstream authlib library and are primarily security fixes.

Overview
Updates the pinned authlib dependency in uv.lock from 1.6.9 to 1.6.11, refreshing the associated sdist/wheel URLs and hashes.

This is a patch-level bump intended to pick up upstream security fixes (including CSRF/redirect handling fixes) with no application code changes.

^{Reviewed by Cursor Bugbot for commit fac4ea1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Security review completed for this PR.

Result: No high-confidence vulnerabilities found in the introduced changes.

Evidence from diff:

• The PR only updates authlib from 1.6.9 to 1.6.11 in uv.lock.
• The lockfile keeps pinned artifact hashes (sha256) for both sdist and wheel, so integrity pinning remains in place.
• No application code, auth logic, input handling, logging, transport, or permission boundary changes are present in this diff.

Supply-chain assessment:

• This is a dependency version bump only; no new unpinned sources or execution paths are introduced by the diff itself.
• I did not find concrete evidence in this PR of a newly introduced exploitable path.

Residual validation recommended:

• Confirm CI dependency/security scanning for authlib==1.6.11 is green (advisory databases can update after merge).

  

_{Sent by Cursor Automation: Find vulnerabilities}