From 17f81d4fa065477bfb94a91c1d7b33678b1f3189 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:29:42 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20jwt=203.1.2=20=E2=86=92=203.2.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2026-45363 (High, empty-key HMAC bypass). Not exposed: jwt reaches campfire only via web-push VAPID signing, which uses ES256 (asymmetric ECDSA), not HMAC — the vulnerable JWA::Hmac path is unreachable. web-push requires jwt ~> 3.0; minor bump, encode API unchanged. Transitive dep (no Gemfile change). 15 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-jwt_v3.1.2..v3.2.0.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index da0cee7..cfebb3b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -192,7 +192,7 @@ GEM actionview (>= 7.0.0) activesupport (>= 7.0.0) json (2.13.2) - jwt (3.1.2) + jwt (3.2.0) base64 kredis (1.8.0) activemodel (>= 6.0.0)