dep: update jwt 3.1.2 → 3.2.0

Security bump for CVE-2026-45363 (High, empty-key HMAC bypass). Not
exposed: jwt reaches campfire only via web-push VAPID signing, which uses
ES256 (asymmetric ECDSA), not HMAC — the vulnerable JWA::Hmac path is
unreachable. web-push requires jwt ~> 3.0; minor bump, encode API
unchanged.

Transitive dep (no Gemfile change). 15 commits analyzed, 0 mitigations.

https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-jwt_v3.1.2..v3.2.0.md

🤖 Assisted by Claude
This commit is contained in:
Mike Dalessio
2026-06-09 11:29:42 -04:00
parent 905165b7e2
commit 17f81d4fa0
+1 -1
View File
@@ -192,7 +192,7 @@ GEM
actionview (>= 7.0.0)
activesupport (>= 7.0.0)
json (2.13.2)
jwt (3.1.2)
jwt (3.2.0)
base64
kredis (1.8.0)
activemodel (>= 6.0.0)