Skip to content

Update JWT dependency#7960

Merged
neilalexander merged 1 commit intomainfrom
neil/deps-17-mar-26
Mar 17, 2026
Merged

Update JWT dependency#7960
neilalexander merged 1 commit intomainfrom
neil/deps-17-mar-26

Conversation

@neilalexander
Copy link
Copy Markdown
Member

@neilalexander neilalexander commented Mar 17, 2026

Signed-off-by: Neil Twigg neil@nats.io

@neilalexander
Update JWT dependency
c7237a4 
Signed-off-by: Neil Twigg <neil@nats.io>
@neilalexander neilalexander requested a review from a team as a code owner March 17, 2026 13:39
@synadia-claude-reviewer
Copy link
Copy Markdown

synadia-claude-reviewer bot commented Mar 17, 2026
edited
Loading

Claude finished @neilalexander's task in 45s —— View job

PR Review: Update JWT dependency

  • Gather context and examine PR changes
  • Review go.mod and go.sum changes
  • Check for security or compatibility concerns
  • Post review summary

Review Summary

This is a straightforward patch-level dependency bump of github.com/nats-io/jwt/v2 from v2.8.0v2.8.1. The go.sum hashes are updated correctly to match the new version.

What's in v2.8.1:

  • Fix: allow import of same service subject from different accounts
  • Fix: credential generation now validates the key matches the JWT provided
  • Fix: DecorateSeed is more resilient against short input
  • Fix: weighted mappings now correctly enforce the 100% cap
  • Fix: added a size check for JWT tokens (potential DoS hardening)

The changes are minimal (3 lines in go.mod/go.sum) and purely a version bump — no logic changes in this repo.

Assessment: The update includes several correctness and robustness fixes in the JWT library. The JWT token size check (nats-io/jwt#248) and credential key validation (nats-io/jwt#242) are noteworthy security-relevant improvements. No concerns with this change.

MauriceVanVeen
MauriceVanVeen approved these changes Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MauriceVanVeen MauriceVanVeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@neilalexander neilalexander merged commit ccb880d into main Mar 17, 2026
72 of 75 checks passed
@neilalexander neilalexander deleted the neil/deps-17-mar-26 branch March 17, 2026 14:28
neilalexander added a commit that referenced this pull request Mar 24, 2026
@neilalexander
Cherry-picks for 2.12.6-RC.3 (#59)
e6ab7e9 
Includes the following:

- #7958
- #7959
- #7960
- #7961
- #7962
- #7896
- Security fixes

Signed-off-by: Neil Twigg <neil@nats.io>
neilalexander added a commit that referenced this pull request Mar 24, 2026
@neilalexander
Cherry-picks for 2.11.15 (#62)
e349b31 
Includes the following:

- #7805
- #7933
- #7941
- #7942
- #7944
- #7952
- #7953
- #7954
- #7960
- #7896
- #7970
- Security fixes

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MauriceVanVeen MauriceVanVeen MauriceVanVeen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@neilalexander @MauriceVanVeen