Upgrade jwt from 2.10.2 to 3.2.0 in fastlane bundle

[d4rken]

Resolves Dependabot alert GHSA-c32j-vqhx-rx3x (high, CVSS 7.4): empty-key HMAC bypass in ruby-jwt < 3.2.0.

Changes

• jwt 2.10.2 → 3.2.0 (the security fix)
• fastlane 2.232.1 → 2.235.0 (relaxes jwt constraint from < 3 to < 4)
• googleauth 1.11.2 → 1.16.2 (relaxes jwt constraint from < 3.0 to < 4.0)
• BUNDLED WITH 2.2.8 → 2.6.2 (fastlane 2.235.0 requires bundler ≥ 2.4.0; CI's ruby/setup-ruby installs the BUNDLED WITH version)

Context

The jwt gem is a transitive dependency of fastlane, used by googleauth/signet for Google service-account auth (Play Store uploads). The vulnerability itself (empty-key HMAC decode bypass) has no practical exposure here — fastlane signs JWTs with a real private key and never verifies attacker-supplied tokens — but clearing the alert keeps the Dependabot list signal-rich.

The upgrade required bumping bundler because the only fastlane version that relaxes the jwt cap (2.235.0) requires bundler >= 2.4.0, while the lockfile previously pinned BUNDLED WITH 2.2.8.