Skip to content

fix(deps): bump jose minimum to ^0.3.5+1#2613

Open
neel-sharma wants to merge 2 commits intoGetStream:masterfrom
neel-sharma:master
Open

fix(deps): bump jose minimum to ^0.3.5+1#2613
neel-sharma wants to merge 2 commits intoGetStream:masterfrom
neel-sharma:master

Conversation

@neel-sharma
Copy link
Copy Markdown

@neel-sharma neel-sharma commented Apr 11, 2026
edited by coderabbitai bot
Loading

Submit a pull request

Linear: N/A
Github Issue: N/A

CLA

  • I have signed the Stream CLA (required).
  • The code changes follow best practices
  • Code changes are tested (add some information if not applicable)

Description of the pull request

jose 0.3.4 has a JWT signature bypass vulnerability tracked as CVE-2026-34240 / GHSA-vm9r-h74p-hg97. The fix is available in jose 0.3.5+.

This PR bumps the lower bound from ^0.3.4 to ^0.3.5 in two files:

  • melos.yaml
  • packages/stream_chat/pubspec.yaml

No code changes — the jose API is unchanged. The ^ constraint still allows anything >=0.3.5 <0.4.0, so nothing else breaks. Only the vulnerable version is excluded from resolution.

Testing: Dependency-only change, no logic affected. Verified pub get resolves cleanly.

Screenshots / Videos

N/A — dependency version bump only, no UI changes.

Summary by CodeRabbit

  • Chores
    • Updated a third-party dependency to a newer patch release to improve compatibility and stability.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 11, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f572b27-9ad2-445b-853a-e4b0d49fec99

📥 Commits

Reviewing files that changed from the base of the PR and between a149b56 and 52f998b.

📒 Files selected for processing (2)
  • melos.yaml
  • packages/stream_chat/pubspec.yaml
✅ Files skipped from review due to trivial changes (2)
  • packages/stream_chat/pubspec.yaml
  • melos.yaml
📝 Walkthrough

Walkthrough

The jose dependency constraint was bumped from ^0.3.4 to ^0.3.5+1 in the monorepo configuration and the stream_chat package (melos.yaml and packages/stream_chat/pubspec.yaml), updating the allowed version including build metadata.

Changes

Cohort / File(s) Summary
Dependency Version Updates
melos.yaml, packages/stream_chat/pubspec.yaml		 Changed jose dependency constraint from ^0.3.4 to ^0.3.5+1 in both files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I hopped through code with nimble feet,
A tiny bump—jose made complete.
From .4 to .5+1 I cheer and play,
A little version dance to brighten the day. 🥕

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: bumping the jose dependency minimum version to address a vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/stream_chat/pubspec.yaml`:
- Line 30: Update the jose dependency constraint from ^0.3.5 to ^0.3.5+1 in the
packages/stream_chat pubspec (change the "jose" entry) to ensure the
CVE-2026-34240 patch is used; also make the identical change to the "jose"
constraint in melos.yaml (the other occurrence mentioned) so both manifests
require the patched 0.3.5+1 or later.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b89415cf-5594-4f53-b079-47b94e80c758

📥 Commits

Reviewing files that changed from the base of the PR and between 1168767 and a149b56.

📒 Files selected for processing (2)
  • melos.yaml
  • packages/stream_chat/pubspec.yaml

@neel-sharma neel-sharma mentioned this pull request Apr 11, 2026
Open
@neel-sharma neel-sharma changed the title fix(deps): bump jose minimum to ^0.3.5 fix(deps): bump jose minimum to ^0.3.5+1 Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@neel-sharma