Date: 2026-06-16 Target: PyJWT 2.13.0 (5-fix security release) Verdict: cluster audit complete - 2 incomplete, 1 edge, 2 clean.
PyJWT 2.13.0 = a "narrow point-fixer" - 2 of 5 fixes patched only the reported instance and left a sibling/ generalization (redirect hop; the named-vs-actual gap; format blocklist). Once you confirm ONE narrow fix in a release, AUDIT THE WHOLE RELEASE - the same author under the same time pressure repeats the style. Contrast cycle243 (Symfony) = a "sweeper" - fixed all 17 bridges; auditing the rest was a walk. The cheap tell: read the fix diffs' SCOPE (one file/one branch vs the whole class). Point-fixer -> mine every sibling. Sweeper -> one representative check then move on.
When a guard rejects "key material" by recognizing specific encodings (PEM, SSH, JWK), list EVERY encoding the consumer accepts (DER, PKCS#8, X.509 cert, JWK-Set, base64-wrapped, OpenSSH-new) and test each. Blocklists miss formats by construction; allowlists (accept only the one expected shape) are the robust fix.
plus 2 cheap empirical confirmations (SSRF catcher, DoS hit-counter). High finding-density per token. The full-cluster sweep after a confirmed narrow fix is among the best EV moves in the regression-hunting lane.