Skip to content

Update jwt gem#88

Open
mdlima wants to merge 1 commit into
livekit:mainfrom
mdlima:main
Open

Update jwt gem#88
mdlima wants to merge 1 commit into
livekit:mainfrom
mdlima:main

Conversation

@mdlima

@mdlima mdlima commented May 19, 2026

Copy link
Copy Markdown

ruby-jwt v3.2.0 addresses a vulnerability that allows HMAC bypass: GHSA-c32j-vqhx-rx3x

This PR also addresses #86.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@moladukes

Copy link
Copy Markdown

+1 and a concrete data point on why the jwt < 3.0 pin makes the gem strictly unadoptable on modern Rails apps, not just inconvenient:

workos (the official WorkOS SDK, v7.x) requires jwt ~> 3.1. Any app using WorkOS for auth is therefore locked to jwt 3.x and cannot add livekit-server-sdk at all. Bundler can't resolve < 3.0 against ~> 3.1. The same applies to current devise-jwt. Since jwt 3.2.0 also fixes the HMAC-bypass advisory noted above, the loosening is both a compatibility and a security win.

The SDK's actual jwt usage (JWT.encode / JWT.decode for access tokens) is compatible with 3.x, so expanding the constraint to >= 2.2.3, < 4.0 should be low-risk. Happy to test a branch against a jwt-3.2 app if useful.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants