Skip to content

Bump fastlane to 2.235.0 and jwt to 3.2.0 (CVE-2026-45363)#663

Open
bjorkert wants to merge 1 commit into
devfrom
dependabot/jwt-3.2.0
Open

Bump fastlane to 2.235.0 and jwt to 3.2.0 (CVE-2026-45363)#663
bjorkert wants to merge 1 commit into
devfrom
dependabot/jwt-3.2.0

Conversation

@bjorkert
Copy link
Copy Markdown
Member

@bjorkert bjorkert commented May 28, 2026

Resolves Dependabot alert #15 (GHSA-c32j-vqhx-rx3x / CVE-2026-45363).

jwt < 3.2.0 accepts attacker-forged tokens when an empty or nil key is supplied to HMAC algorithms (HS256/HS384/HS512). fastlane 2.233.1 had a hard jwt < 3 upper bound that blocked the fix. fastlane 2.235.0 relaxes that to jwt < 4, allowing the upgrade to jwt 3.2.0.

@bjorkert
Bump fastlane to 2.235.0 and jwt to 3.2.0 (CVE-2026-45363)
a7f5c3b 
jwt < 3.2.0 accepts attacker-forged tokens when an empty or nil key is
used with HMAC algorithms (GHSA-c32j-vqhx-rx3x). fastlane 2.233.1 pinned
jwt < 3, blocking the fix. fastlane 2.235.0 relaxes that to jwt < 4,
allowing the upgrade to 3.2.0.
@marionbarker
Copy link
Copy Markdown
Collaborator

marionbarker commented May 30, 2026
edited
Loading

I think these 2 lines should be removed from Gemfile:

gem "json", ">=2.19.2"
gem "addressable", ">=2.9.0"

I added them when they were needed for security issues with fastlane 2.233.1.

When I bumped LoopKit/LoopWorkspace up to fastlane 2.234.0, they were no longer needed so I removed them.

I tested bundle install for this branch after removing those 2 lines and the Gemfile.lock was modified only by removing those two lines in the DEPENDENCIES section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjorkert @marionbarker