chore(dep): bump jsonwebtoken v10.3.0 fix cve#3754
chore(dep): bump jsonwebtoken v10.3.0 fix cve#3754duyquang6 wants to merge 5 commits intoalloy-rs:mainfrom
Conversation
duyquang6
requested review from
DaniPopes,
klkvr,
mattsse and
onbjerg
as code owners
duyquang6
force-pushed
the
push-pxoqupuxrzvw
branch
from
0555afc to
85eb81c
Compare
duyquang6
force-pushed
the
push-pxoqupuxrzvw
branch
from
85eb81c to
760fbe7
Compare
could you check again, ran local and pass |
| // Create a new validation object with the required signature algorithm | ||
| // and ensure that the `iat` claim is present. The `exp` claim is validated if defined. | ||
| let mut validation = Validation::new(JWT_SIGNATURE_ALGO); | ||
| validation.set_required_spec_claims(&["iat"]); |
There was a problem hiding this comment.
set_required_spec_claims is not accept iat field anyway, so that why i nuked here
| let mut validation = Validation::new(JWT_SIGNATURE_ALGO); | ||
| validation.set_required_spec_claims(&["iat"]); | ||
| validation.required_spec_claims.clear(); | ||
| validation.validate_exp = false; |
There was a problem hiding this comment.
default jsonwebtoken will validate exp field.
as engine api doesn't validate if exp not exist, so needed this to bypass
| if !token.claims.is_within_time_window() { | ||
| Err(JwtError::InvalidIssuanceTimestamp)? | ||
| } | ||
| if !token.claims.is_exp_valid() { |
There was a problem hiding this comment.
we need manually verify because we bypass the check above
|
@onbjerg pls review and merge :) |
mattsse
left a comment
mattsse
left a comment
There was a problem hiding this comment.
sorry, is this now a dep bump or a fix,
dont understand why this needs validation changes
Hi sir, if not explicitly set validate |
duyquang6
force-pushed
the
push-pxoqupuxrzvw
branch
from
209b039 to
05906dd
Compare
4 participants
Motivation
fix cve: https://avd.aquasec.com/nvd/cve-2026-25537
Solution
PR Checklist