Skip to content

Commit 89d4fa4

Browse files
authored
Bump fastlane to 2.235.0 and jwt to 3.2.0 (CVE-2026-45363) (#663)
* Bump fastlane to 2.235.0 and jwt to 3.2.0 (CVE-2026-45363) jwt < 3.2.0 accepts attacker-forged tokens when an empty or nil key is used with HMAC algorithms (GHSA-c32j-vqhx-rx3x). fastlane 2.233.1 pinned jwt < 3, blocking the fix. fastlane 2.235.0 relaxes that to jwt < 4, allowing the upgrade to 3.2.0. * Remove json and addressable pins no longer needed with fastlane 2.235.0
1 parent 3f9b6cd commit 89d4fa4

2 files changed

Lines changed: 54 additions & 53 deletions

File tree

Gemfile

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,2 @@
11
source "https://rubygems.org"
2-
gem "fastlane", "2.233.1"
3-
gem "json", ">=2.19.2"
4-
gem "addressable", ">=2.9.0"
2+
gem "fastlane", "2.235.0"

Gemfile.lock

Lines changed: 53 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -8,28 +8,28 @@ GEM
88
artifactory (3.0.17)
99
atomos (0.1.3)
1010
aws-eventstream (1.4.0)
11-
aws-partitions (1.1206.0)
12-
aws-sdk-core (3.241.4)
11+
aws-partitions (1.1254.0)
12+
aws-sdk-core (3.250.0)
1313
aws-eventstream (~> 1, >= 1.3.0)
1414
aws-partitions (~> 1, >= 1.992.0)
1515
aws-sigv4 (~> 1.9)
1616
base64
1717
bigdecimal
1818
jmespath (~> 1, >= 1.6.1)
1919
logger
20-
aws-sdk-kms (1.121.0)
21-
aws-sdk-core (~> 3, >= 3.241.4)
20+
aws-sdk-kms (1.128.0)
21+
aws-sdk-core (~> 3, >= 3.248.0)
2222
aws-sigv4 (~> 1.5)
23-
aws-sdk-s3 (1.211.0)
24-
aws-sdk-core (~> 3, >= 3.241.3)
23+
aws-sdk-s3 (1.224.0)
24+
aws-sdk-core (~> 3, >= 3.248.0)
2525
aws-sdk-kms (~> 1)
2626
aws-sigv4 (~> 1.5)
2727
aws-sigv4 (1.12.1)
2828
aws-eventstream (~> 1, >= 1.0.2)
2929
babosa (1.0.4)
30-
base64 (0.2.0)
30+
base64 (0.3.0)
3131
benchmark (0.5.0)
32-
bigdecimal (4.0.1)
32+
bigdecimal (4.1.2)
3333
claide (1.1.0)
3434
colored (1.2)
3535
colored2 (3.1.2)
@@ -71,17 +71,17 @@ GEM
7171
faraday-retry (1.0.4)
7272
faraday_middleware (1.2.1)
7373
faraday (~> 1.0)
74-
fastimage (2.4.0)
75-
fastlane (2.233.1)
76-
CFPropertyList (>= 2.3, < 4.0.0)
77-
abbrev (~> 0.1.2)
74+
fastimage (2.4.1)
75+
fastlane (2.235.0)
76+
CFPropertyList (>= 2.3, < 5.0.0)
77+
abbrev (~> 0.1)
7878
addressable (>= 2.8, < 3.0.0)
7979
artifactory (~> 3.0)
8080
aws-sdk-s3 (~> 1.197)
8181
babosa (>= 1.0.3, < 2.0.0)
82-
base64 (~> 0.2.0)
82+
base64 (~> 0.2)
8383
benchmark (>= 0.1.0)
84-
bundler (>= 1.17.3, < 5.0.0)
84+
bundler (>= 2.4.0, < 5.0.0)
8585
colored (~> 1.2)
8686
commander (~> 4.6)
8787
csv (~> 3.3)
@@ -96,18 +96,18 @@ GEM
9696
gh_inspector (>= 1.1.2, < 2.0.0)
9797
google-apis-androidpublisher_v3 (~> 0.3)
9898
google-apis-playcustomapp_v1 (~> 0.1)
99-
google-cloud-env (>= 1.6.0, <= 2.1.1)
99+
google-cloud-env (>= 1.6.0, < 2.3.0)
100100
google-cloud-storage (~> 1.31)
101101
highline (~> 2.0)
102102
http-cookie (~> 1.0.5)
103103
json (< 3.0.0)
104-
jwt (>= 2.1.0, < 3)
104+
jwt (>= 2.1.0, < 4)
105105
logger (>= 1.6, < 2.0)
106106
mini_magick (>= 4.9.4, < 5.0.0)
107107
multipart-post (>= 2.0.0, < 3.0.0)
108-
mutex_m (~> 0.3.0)
108+
mutex_m (~> 0.3)
109109
naturally (~> 2.2)
110-
nkf (~> 0.2.0)
110+
nkf (~> 0.2)
111111
optparse (>= 0.1.1, < 1.0.0)
112112
ostruct (>= 0.1.0)
113113
plist (>= 3.1.0, < 4.0.0)
@@ -124,39 +124,44 @@ GEM
124124
xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
125125
fastlane-sirp (1.1.0)
126126
gh_inspector (1.1.3)
127-
google-apis-androidpublisher_v3 (0.54.0)
128-
google-apis-core (>= 0.11.0, < 2.a)
129-
google-apis-core (0.11.3)
127+
google-apis-androidpublisher_v3 (0.101.0)
128+
google-apis-core (>= 0.15.0, < 2.a)
129+
google-apis-core (0.18.0)
130130
addressable (~> 2.5, >= 2.5.1)
131-
googleauth (>= 0.16.2, < 2.a)
132-
httpclient (>= 2.8.1, < 3.a)
131+
googleauth (~> 1.9)
132+
httpclient (>= 2.8.3, < 3.a)
133133
mini_mime (~> 1.0)
134+
mutex_m
134135
representable (~> 3.0)
135136
retriable (>= 2.0, < 4.a)
136-
rexml
137-
google-apis-iamcredentials_v1 (0.17.0)
138-
google-apis-core (>= 0.11.0, < 2.a)
139-
google-apis-playcustomapp_v1 (0.13.0)
140-
google-apis-core (>= 0.11.0, < 2.a)
141-
google-apis-storage_v1 (0.31.0)
142-
google-apis-core (>= 0.11.0, < 2.a)
137+
google-apis-iamcredentials_v1 (0.27.0)
138+
google-apis-core (>= 0.15.0, < 2.a)
139+
google-apis-playcustomapp_v1 (0.17.0)
140+
google-apis-core (>= 0.15.0, < 2.a)
141+
google-apis-storage_v1 (0.62.0)
142+
google-apis-core (>= 0.15.0, < 2.a)
143143
google-cloud-core (1.8.0)
144144
google-cloud-env (>= 1.0, < 3.a)
145145
google-cloud-errors (~> 1.0)
146-
google-cloud-env (1.6.0)
147-
faraday (>= 0.17.3, < 3.0)
148-
google-cloud-errors (1.5.0)
149-
google-cloud-storage (1.47.0)
146+
google-cloud-env (2.2.2)
147+
base64 (~> 0.2)
148+
faraday (>= 1.0, < 3.a)
149+
google-cloud-errors (1.6.0)
150+
google-cloud-storage (1.60.0)
150151
addressable (~> 2.8)
151152
digest-crc (~> 0.4)
152-
google-apis-iamcredentials_v1 (~> 0.1)
153-
google-apis-storage_v1 (~> 0.31.0)
153+
google-apis-core (>= 0.18, < 2)
154+
google-apis-iamcredentials_v1 (~> 0.18)
155+
google-apis-storage_v1 (>= 0.42)
154156
google-cloud-core (~> 1.6)
155-
googleauth (>= 0.16.2, < 2.a)
157+
googleauth (~> 1.9)
156158
mini_mime (~> 1.0)
157-
googleauth (1.8.1)
158-
faraday (>= 0.17.3, < 3.a)
159-
jwt (>= 1.4, < 3.0)
159+
google-logging-utils (0.2.0)
160+
googleauth (1.16.2)
161+
faraday (>= 1.0, < 3.a)
162+
google-cloud-env (~> 2.2)
163+
google-logging-utils (~> 0.1)
164+
jwt (>= 1.4, < 4.0)
160165
multi_json (~> 1.11)
161166
os (>= 0.9, < 2.0)
162167
signet (>= 0.16, < 2.a)
@@ -166,13 +171,13 @@ GEM
166171
httpclient (2.9.0)
167172
mutex_m
168173
jmespath (1.6.2)
169-
json (2.19.3)
170-
jwt (2.10.2)
174+
json (2.19.7)
175+
jwt (3.2.0)
171176
base64
172177
logger (1.7.0)
173178
mini_magick (4.13.2)
174179
mini_mime (1.1.5)
175-
multi_json (1.19.1)
180+
multi_json (1.21.1)
176181
multipart-post (2.4.1)
177182
mutex_m (0.3.0)
178183
nanaimo (0.4.0)
@@ -182,13 +187,13 @@ GEM
182187
os (1.1.4)
183188
ostruct (0.6.3)
184189
plist (3.7.2)
185-
public_suffix (7.0.2)
186-
rake (13.3.1)
190+
public_suffix (7.0.5)
191+
rake (13.4.2)
187192
representable (3.2.0)
188193
declarative (< 0.1.0)
189194
trailblazer-option (>= 0.1.1, < 0.2.0)
190195
uber (< 0.2.0)
191-
retriable (3.1.2)
196+
retriable (3.8.0)
192197
rexml (3.4.4)
193198
rouge (3.28.0)
194199
ruby2_keywords (0.0.5)
@@ -230,9 +235,7 @@ PLATFORMS
230235
ruby
231236

232237
DEPENDENCIES
233-
addressable (>= 2.9.0)
234-
fastlane (= 2.233.1)
235-
json (>= 2.19.2)
238+
fastlane (= 2.235.0)
236239

237240
BUNDLED WITH
238-
4.0.6
241+
4.0.12

0 commit comments

Comments
 (0)