Bump jwt from 0.1.11 to 3.2.0#7
Conversation
Bumps [jwt](https://github.com/jwt/ruby-jwt) from 0.1.11 to 3.2.0. - [Release notes](https://github.com/jwt/ruby-jwt/releases) - [Changelog](https://github.com/jwt/ruby-jwt/blob/main/CHANGELOG.md) - [Commits](jwt/ruby-jwt@jwt-0.1.11...v3.2.0) --- updated-dependencies: - dependency-name: jwt dependency-version: 3.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4ff3c68. Configure here.
| faraday (~> 0.8) | ||
| httpauth (~> 0.1) | ||
| multi_json (~> 1.0) | ||
| rack (~> 1.4) |
There was a problem hiding this comment.
oauth2 downgraded from 0.9.3 to 0.7.1 breaking authentication
High Severity
The oauth2 gem was downgraded from 0.9.3 to 0.7.1 as a side effect of bumping jwt. The old oauth2 0.9.3 depended on jwt (~> 0.1.8), which conflicts with jwt 3.2.0, so Bundler resolved the conflict by downgrading oauth2 to a version that doesn't use jwt at all. This means jwt 3.2.0 is now orphaned (nothing in the dependency tree requires it), while github_api 0.11.3 is forced to use an older, potentially incompatible oauth2 version that could break GitHub OAuth authentication used in github_authentication.rb.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4ff3c68. Configure here.
Bumps jwt from 0.1.11 to 3.2.0.
Release notes
Sourced from jwt's releases.
Changelog
Sourced from jwt's changelog.
... (truncated)
Commits
db560b7Merge commit from forkffef4f2Bump actions/download-artifact from 7 to 8 (#719)69a343dBump actions/upload-artifact from 6 to 7 (#718)78e7ed2Fix Style/PredicateWithKind RuboCop issue (#720)1a1d877Extract context classes into separate files for better organization (#717)d3e52e9Add enforce_hmac_key_length configuration option (#716)24ec3d8Fix type error when header is not a JSON object (#715)8c655d4Fix typo in "Rubocop" to use correct casing "RuboCop" (#714)7af2ac0Bump actions/download-artifact from 4 to 7 (#708)efd5e6fBump actions/upload-artifact from 4 to 6 (#709)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Major-version bump of
jwtcan introduce breaking API/behavior changes in token encoding/verification at runtime. Lockfile also shifts transitive auth/JSON dependencies, which may impact OAuth/token flows.Overview
Updates Bundler lockfile to bump
jwtfrom0.1.11to3.2.0, pulling in the newbase64dependency.Adjusts related transitive dependencies in
Gemfile.lock, including addinghttpauth, updatingmulti_json, and downgradingoauth2to0.7.1to satisfy the resolved dependency graph.Reviewed by Cursor Bugbot for commit 4ff3c68. Bugbot is set up for automated code reviews on this repo. Configure here.