Skip to content

bump jwt from 2.10.3 to 3.2.0#8039

Open
donny-wong wants to merge 4 commits into
MarkUsProject:masterfrom
donny-wong:bump-jwt-3.2.0
Open

bump jwt from 2.10.3 to 3.2.0#8039
donny-wong wants to merge 4 commits into
MarkUsProject:masterfrom
donny-wong:bump-jwt-3.2.0

Conversation

@donny-wong

@donny-wong donny-wong commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

(Describe your changes here. Also describe the motivation for your changes: what problem do they solve, or how do they improve the application or codebase? If this pull request fixes an open issue, use a keyword to link this pull request to the issue.)

Manually bump jwt gem from 2.10.3 → 3.2.0. Since jwt is unpinned in the Gemfile, this is a
Gemfile.lock-only change.

3.2.0 is the current latest release. Relevant points from its changelog:

  • Carries the fix for GHSA-c32j-vqhx-rx3x - rejecting nil/empty HMAC keys when signing and verifying. As assessed in the Dependabot bump build(deps): bump jwt from 2.10.1 to 2.10.3 #7959, this is an HMAC vulnerability, and MarkUs signs and verifies exclusively with RSA/RS256, so the vulnerable path was never reachable - but moving to the patched release keeps us current.
  • The openssl 4.0 gem compatibility fix does not apply here: MarkUs does not bundle the standalone openssl gem (it is absent from Gemfile.lock) and instead relies on Ruby's stdlib OpenSSL. RSA/RS256 was confirmed working at runtime.
  • Remaining entries are HMAC-only (enforce_hmac_key_length), CI-only (Ruby 4.0 test matrix), or defensive hardening (type error on non-JSON token headers) - none affect the RSA/RS256/JWKS paths MarkUs uses.

Major version (3.0) breaking-change review

  • HMAC/EdDSA changes (jwt-eddsa split, rbnacl removal, HS512256 drop) — irrelevant to RSA.
  • RSA keys must be ≥ 2048 bits — satisfied by construction: rails markus:lti_key hardcodes OpenSSL::PKey::RSA.new(2048).
  • Verify-before-payload — our decode verifies before reading claims (no unverified payload access).
  • Stricter RFC 4648 base64 decoding — Canvas tokens are properly encoded and decode cleanly under the stricter rule.
  • Custom-algorithm interface change — N/A; MarkUs uses only the built-in RS256 algorithm, no custom algorithms defined.

Tests:

  • Ran the full LTI spec suite successfully.
  • Successful testing on local Canvas and MarkUs.
Screenshots of your changes (if applicable)

Type of Change

(Write an X or a brief description next to the type or types that best describe your changes.)

Type Applies?
🚨 Breaking change (fix or feature that would cause existing functionality to change)
New feature (non-breaking change that adds functionality)
🐛 Bug fix (non-breaking change that fixes an issue)
🎨 User interface change (change to user interface; provide screenshots)
♻️ Refactoring (internal change to codebase, without changing functionality)
🚦 Test update (change that only adds or modifies tests)
📦 Dependency update (change that updates a dependency) x
📖 Documentation update (change that updates documentation)
🔧 Internal (change that only affects developers or continuous integration)

Checklist

(Complete each of the following items for your pull request. Indicate that you have completed an item by changing the [ ] into a [x] in the raw text, or by clicking on the checkbox in the rendered description on GitHub.)

Before opening your pull request:

  • I have performed a self-review of my changes.
    • Check that all changed files included in this pull request are intentional changes.
    • Check that all changes are relevant to the purpose of this pull request, as described above.
  • I have added tests for my changes, if applicable.
    • This is required for all bug fixes and new features.
  • I have updated the project documentation, if applicable.
    • This is required for new features.
  • If this is my first contribution, I have added myself to the list of contributors.

After opening your pull request:

  • I have updated the project Changelog (this is required for all changes).
  • I have verified that the pre-commit.ci checks have passed.
  • I have verified that the CI tests have passed.
  • I have reviewed the test coverage changes reported by Coveralls.
  • I have requested a review from a project maintainer.

Questions and Comments

(Include any questions or comments you have regarding your changes.)

@coveralls

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 28621447237

Coverage remained the same at 90.251%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: 1 of 1 lines across 1 file are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 50871
Covered Lines: 46927
Line Coverage: 92.25%
Relevant Branches: 2419
Covered Branches: 1168
Branch Coverage: 48.28%
Branches in Coverage %: Yes
Coverage Strength: 127.31 hits per line

💛 - Coveralls

@donny-wong donny-wong requested a review from Naragod July 2, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants