Skip to content

Fastlane: Bump jwt to 3.2.0 (GHSA-c32j-vqhx-rx3x)#364

Merged
d4rken merged 1 commit into
mainfrom
fix/jwt-dependabot-alert
May 26, 2026
Merged

Fastlane: Bump jwt to 3.2.0 (GHSA-c32j-vqhx-rx3x)#364
d4rken merged 1 commit into
mainfrom
fix/jwt-dependabot-alert

Conversation

@d4rken
Copy link
Copy Markdown
Member

@d4rken d4rken commented May 26, 2026

What changed

No user-facing behavior change. Resolves Dependabot alert #17 by bumping the jwt gem in the fastlane (release/CI) toolchain from 2.10.2 to 3.2.0, which patches a high-severity empty-key HMAC bypass (CVE-2026-45363).

Technical Context

  • The vuln: jwt < 3.2.0 accepts an attacker-forged token when JWT.decode is called with an empty/nil HMAC key. Practical exposure in this repo is negligible β€” jwt is only a transitive dep of fastlane via googleauth, used for Google Play service-account auth with a real key, and never ships in the app. Bumping is to clear the alert.
  • Why a simple jwt bump didn't work: jwt was capped below 3.0 by two parents β€” fastlane 2.233.1 (jwt < 3) and googleauth 1.11.2 (jwt < 3.0). Both upper bounds are relaxed to < 4 only in newer releases.
  • The fix: bump fastlane β†’ 2.235.0 (constraint now jwt < 4), which pulls googleauth β†’ 1.16.2 (also jwt < 4), letting bundler resolve jwt 3.2.0. The incidental aws-sdk / google-apis bumps in the lockfile are the re-resolution of fastlane's transitive deps.
  • BUNDLED WITH 2.2.8 β†’ 2.6.2: required, not cosmetic β€” fastlane 2.235.0 declares bundler >= 2.4.0. CI's ruby/setup-ruby step uses bundler-cache: true, which installs the BUNDLED WITH version from the lockfile, so the runner picks up 2.6.2 automatically (ruby 3.3.6 unchanged).
  • Verified locally: bundle check passes and bundle exec fastlane --version reports 2.235.0 (mirrors the CI "Verify fastlane Bundler wiring" step).

Closes GHSA-c32j-vqhx-rx3x

@d4rken
Fastlane: Bump jwt to 3.2.0 (GHSA-c32j-vqhx-rx3x)
3dd60a7 
Dependabot alert #17 (CVE-2026-45363): jwt < 3.2.0 has an empty-key HMAC bypass where JWT.decode with an empty/nil key accepts a forged token.

jwt was capped below 3.0 by fastlane 2.233.1 and googleauth 1.11.2. Bumping fastlane to 2.235.0 relaxes its constraint to jwt < 4 and pulls googleauth 1.16.2 (also jwt < 4), letting bundler resolve jwt 3.2.0.

fastlane 2.235.0 requires bundler >= 2.4.0, so BUNDLED WITH moves 2.2.8 -> 2.6.2. CI uses ruby/setup-ruby with bundler-cache, which installs the BUNDLED WITH version automatically.

Closes GHSA-c32j-vqhx-rx3x
@d4rken d4rken merged commit 8222e0c into main May 26, 2026
11 checks passed
@d4rken d4rken deleted the fix/jwt-dependabot-alert branch May 26, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d4rken