mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
dep: update jwt 3.1.2 → 3.2.0
Security bump for CVE-2026-45363 (High, empty-key HMAC bypass). Not exposed: jwt reaches campfire only via web-push VAPID signing, which uses ES256 (asymmetric ECDSA), not HMAC — the vulnerable JWA::Hmac path is unreachable. web-push requires jwt ~> 3.0; minor bump, encode API unchanged. Transitive dep (no Gemfile change). 15 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-jwt_v3.1.2..v3.2.0.md 🤖 Assisted by Claude
This commit is contained in:
+1
-1
@@ -192,7 +192,7 @@ GEM
|
||||
actionview (>= 7.0.0)
|
||||
activesupport (>= 7.0.0)
|
||||
json (2.13.2)
|
||||
jwt (3.1.2)
|
||||
jwt (3.2.0)
|
||||
base64
|
||||
kredis (1.8.0)
|
||||
activemodel (>= 6.0.0)
|
||||
|
||||
Reference in New Issue
Block a user