Skip to content

Relax version constraint for jwt gem#49

Merged
synth merged 1 commit into
synth:mainfrom
prognostikos:jwt-3x
May 20, 2026
Merged

Relax version constraint for jwt gem#49
synth merged 1 commit into
synth:mainfrom
prognostikos:jwt-3x

Conversation

@prognostikos
Copy link
Copy Markdown
Contributor

@prognostikos prognostikos commented Nov 30, 2025

Before this commit adding this gem downgraded JWT from 3.1.x to 2.x. for our app. Tests are passing with JWT 3.1.2, the latest version.

@prognostikos
Relax version constraint for jwt gem
cffa5fe 
Before this commit adding this gem downgraded JWT from 3.1.x to 2.x. for
our app. Tests are passing with JWT 3.1.2, the latest version.
anandmanu pushed a commit to anandmanu/omniauth-microsoft_graph that referenced this pull request Feb 28, 2026
@anand-intu
Relax jwt dependency to >= 2.0, < 4.0
86218d1 
Allow jwt 3.x alongside 2.x. The gem's JWT usage (JWT.decode,
JWT::JWK::Set.new, JWT::VerificationError) is fully compatible
with both major versions.

This unblocks web-push 3.x which requires jwt ~> 3.0.

See: synth#49
@AntoineGirard
Copy link
Copy Markdown

AntoineGirard commented May 19, 2026

Hello @synth
Are you going to merge this PR? I’m interested in too
TIA

@TwilightCoder
Copy link
Copy Markdown

TwilightCoder commented May 19, 2026

@synth This PR is looking important now, because there is a high-severity vulnerability published recently for JWT versions < 3.2.

GHSA-c32j-vqhx-rx3x

@Rylab
Copy link
Copy Markdown

Rylab commented May 19, 2026

Yes, please merge this, it resolves a high-severity JWT vuln and works 100% fine with all 3.x JWT as-is. Thank you.

@synth
Copy link
Copy Markdown
Owner

synth commented May 19, 2026

Will do this today!

@jbaxendale-ut
Copy link
Copy Markdown

jbaxendale-ut commented May 20, 2026

@synth noticing that a few of the forks seem to be also relaxing omniauth-oauth2 as well if that would also be something worth getting into a release, seen discussed in this older issue as there being a bugfix that addresses compatibility: #43 (comment)

ex: main...betagouv:omniauth-microsoft_graph:main

jbaxendale-ut
jbaxendale-ut reviewed May 20, 2026
View reviewed changes
Comment thread omniauth-microsoft_graph.gemspec
@synth synth merged commit 764ebe7 into synth:main May 20, 2026
This was referenced May 20, 2026
Closed
Merged
synth added a commit that referenced this pull request May 20, 2026
@synth
bump version 2.1.0 (#50)
8688404 
* Fix email domain up domain case sensitive comparison (#42)
* Update sinatra requirement from ~> 2.2 to ~> 4.1 in the bundler group (#40)
* Relax version constraint for jwt gem (#49)
@synth
Copy link
Copy Markdown
Owner

synth commented May 20, 2026

Published 2.2.0 of this gem to rubygems.

@prognostikos prognostikos deleted the jwt-3x branch May 20, 2026 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@synth synth synth approved these changes

+1 more reviewer

@jbaxendale-ut jbaxendale-ut jbaxendale-ut left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@prognostikos @AntoineGirard @TwilightCoder @Rylab @synth @jbaxendale-ut