Update jwt gem#88
Conversation
|
|
|
+1 and a concrete data point on why the jwt < 3.0 pin makes the gem strictly unadoptable on modern Rails apps, not just inconvenient: workos (the official WorkOS SDK, v7.x) requires jwt ~> 3.1. Any app using WorkOS for auth is therefore locked to jwt 3.x and cannot add livekit-server-sdk at all. Bundler can't resolve < 3.0 against ~> 3.1. The same applies to current devise-jwt. Since jwt 3.2.0 also fixes the HMAC-bypass advisory noted above, the loosening is both a compatibility and a security win. The SDK's actual jwt usage (JWT.encode / JWT.decode for access tokens) is compatible with 3.x, so expanding the constraint to >= 2.2.3, < 4.0 should be low-risk. Happy to test a branch against a jwt-3.2 app if useful. Thanks |
ruby-jwtv3.2.0 addresses a vulnerability that allows HMAC bypass: GHSA-c32j-vqhx-rx3xThis PR also addresses #86.