This library has some pretty bad security bugs. For example, the author forgot to check that redirect_uri — matches one of the URLs listed during client registration.

The CVE is uncharacteristically scornful: https://nvd.nist.gov/vuln/detail/cve-2025-4143

I’m glad this was patched, but it is a bit worrying for something “not vibe coded” tbh