Skip to content

Support jwt gem 3.x alongside 2.x#726

Open
dan98765 wants to merge 1 commit into
auth0:masterfrom
dan98765:support-jwt-3
Open

Support jwt gem 3.x alongside 2.x#726
dan98765 wants to merge 1 commit into
auth0:masterfrom
dan98765:support-jwt-3

Conversation

@dan98765
Copy link
Copy Markdown

@dan98765 dan98765 commented May 5, 2026
edited
Loading

Changes

Widens the jwt runtime dependency from ~> 2.7 (which caps at < 3.0) to >= 2.7, < 4.0. This lets consumers that depend on both auth0 and a gem requiring jwt 3.x (e.g. workos >= 6.0) resolve without conflicts.

No code changes — just the gemspec constraint and the lockfile.

References

Testing

Ran the full test suite (bundle exec rake test) on Ruby 3.3.9 with jwt 3.1.2 resolved:

  • 1040 unit examples, 0 failures
  • 164 integration examples, 0 failures (1 pending — pre-existing)
  • Line coverage: 99.56%

No new tests needed since this is a dependency constraint change and all existing JWT-related tests already pass against 3.x.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of Ruby

Checklist

  • I have read the Auth0 general contribution guidelines
  • I have read the Auth0 Code of Conduct
  • All existing and new tests complete without errors
  • Rubocop passes on all added/modified files (note: rubocop fails to start due to a pre-existing config issue in .rubocop_todo.ymlMetrics/LineLength renamed to Layout/LineLength — unrelated to this change)
  • All active GitHub checks have passed

@dan98765 dan98765 requested a review from a team as a code owner May 5, 2026 17:44
@dan98765 dan98765 mentioned this pull request May 5, 2026
Open
5 tasks
@arpit-jn
Copy link
Copy Markdown
Contributor

arpit-jn commented May 8, 2026

LGTM. The change is minimal, well-scoped, and the test results are convincing (1040 unit + 164 integration, zero failures on jwt 3.1.2).

Ask: Could you rebase onto master to resolve the Gemfile.lock conflict? We just shipped v5.19.0 which updated the lockfile. Should be a quick bundle install after rebase.

@dan98765
Support jwt gem 3.x alongside 2.x
f4756e4 
Widen the jwt dependency from `~> 2.7` (which caps at < 3.0) to
`>= 2.7, < 4.0`.  This allows consumers that depend on both auth0 and
a gem requiring jwt 3.x (e.g. workos >= 6.0) to resolve without
conflicts.

Full test suite (1040 unit + 164 integration examples) passes on
jwt 3.1.2 / Ruby 3.3.9 with zero failures.

Closes auth0#690
@dan98765
Copy link
Copy Markdown
Author

dan98765 commented May 8, 2026

Ask: Could you rebase onto master to resolve the Gemfile.lock conflict? We just shipped v5.19.0 which updated the lockfile. Should be a quick bundle install after rebase.

No prob, updated.

@dan98765
Copy link
Copy Markdown
Author

dan98765 commented May 19, 2026

Rebased and conflict resolved — anything else needed to get this merged?

@joshgaber
Copy link
Copy Markdown

joshgaber commented May 20, 2026

@arpit-jn @dan98765 Now that the Ruby-JWT maintainers have published CVE-2026-44351, I'm sure a lot of users are scrambling to upgrade this gem as soon as possible. Is there anything we can do to help expedite this?

Second question: Should the jwt version be pegged to 3.2 or higher? I'd imagine you'd want to prevent developers from using insecure gems with your product where possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dan98765 @arpit-jn @joshgaber