fix(security): patch json-jwt dependency vulnerabilities (#660)

jordanell · web-flow · commit 017d54d6d2ab · 2024-03-06T11:32:29.000+01:00
Upgraded json-jwt to >= 1.16 to resolve CVE-2023-51774
diff --git a/Gemfile b/Gemfile
@@ -35,5 +35,5 @@ gem 'httparty', '0.18.1'
 gem 'ipaddress', '0.8.3'
 gem 'openid_connect', '1.4.2'
 gem 'json'
-gem 'json-jwt', '1.15.0'
+gem 'json-jwt', '>= 1.16'
 gem 'deepsort'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -10,7 +10,7 @@ PATH
       httparty
       ipaddress
       json
-      json-jwt (~> 1.15.0)
+      json-jwt (>= 1.16.0)
       jwt
       openid_connect (= 1.4.2)
       rack-cors
@@ -83,8 +83,9 @@ GEM
     arel-helpers (2.14.0)
       activerecord (>= 3.1.0, < 8)
     attr_required (1.0.1)
+    base64 (0.2.0)
     bcrypt (3.1.18)
-    bindata (2.4.14)
+    bindata (2.5.0)
     builder (3.2.4)
     byebug (11.1.3)
     concurrent-ruby (1.1.10)
@@ -94,6 +95,12 @@ GEM
     diff-lcs (1.5.0)
     docile (1.4.0)
     erubi (1.12.0)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-net_http (3.1.0)
+      net-http
     forestadmin-jsonapi-serializers (2.0.0.pre.beta.2)
       activesupport
     globalid (1.0.0)
@@ -108,11 +115,13 @@ GEM
       concurrent-ruby (~> 1.0)
     ipaddress (0.8.3)
     json (2.6.3)
-    json-jwt (1.15.0)
+    json-jwt (1.16.6)
       activesupport (>= 4.2)
       aes_key_wrap
+      base64
       bindata
-      httpclient
+      faraday (~> 2.0)
+      faraday-follow_redirects
     jwt (2.6.0)
     loofah (2.19.1)
       crass (~> 1.0.2)
@@ -131,6 +140,8 @@ GEM
     mini_portile2 (2.8.1)
     minitest (5.17.0)
     multi_xml (0.6.0)
+    net-http (0.4.1)
+      uri
     net-imap (0.3.4)
       date
       net-protocol
@@ -235,6 +246,7 @@ GEM
     timeout (0.3.1)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
+    uri (0.13.0)
     useragent (0.16.10)
     validate_email (0.1.6)
       activemodel (>= 3.0)
@@ -264,7 +276,7 @@ DEPENDENCIES
   httparty (= 0.18.1)
   ipaddress (= 0.8.3)
   json
-  json-jwt (= 1.15.0)
+  json-jwt (>= 1.16)
   jwt
   openid_connect (= 1.4.2)
   rack-cors
diff --git a/forest_liana.gemspec b/forest_liana.gemspec
@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "httparty"
   s.add_runtime_dependency "ipaddress"
   s.add_runtime_dependency "json"
-  s.add_runtime_dependency "json-jwt", "~> 1.15.0"
+  s.add_runtime_dependency "json-jwt", ">= 1.16.0"
   s.add_runtime_dependency "openid_connect", "1.4.2"
   s.add_runtime_dependency "deepsort"
 end
