- Explicit
HS256algorithm inJWT.encodecalls — prevents algorithm confusion if jwt gem defaults change. - JWT token lifetime reduced from 24 hours to 5 minutes — limits replay attack window per Atlassian recommendations.
Resource::User#singular_pathnow URL-encodes the username — prevents query parameter injection.Resource::Attachment#save!sends only the basename as filename — prevents leaking server filesystem paths.
Base#set_attrswithclobber: falseno longer corrupts@attrswhen a nested key doesn't exist yet.OauthClient#make_requestraisesArgumentErrorfor unsupported HTTP methods instead of silently setting@authenticated = true.
- Minimum Ruby version raised to 2.7.0 (was 1.9.3).
- Removed
atlassian-jwtdependency. JWT canonicalization and claim building are now handled internally byJIRA::Jwt. If you were relying onatlassian-jwtbeing pulled in transitively, you'll need to add it to your own Gemfile. - Replaced
atlassian-jwtwithjwtgem (>= 2.1) as a runtime dependency.
JIRA::Jwtmodule — internal helper for building JWT claims and computingqsh(query string hash) per the Atlassian Connect spec.JIRA::JwtHeaderClient— authenticates viaAuthorization: JWT ...header (for Atlassian Connect apps that require header-based JWT).ostructadded as an explicit runtime dependency (required by Ruby 3.5+).
JIRA::JwtClientnow usesJIRA::Jwt.build_claimsinstead ofAtlassianJwt::Token.- Development dependency versions updated (
guard,guard-rspec,rake,rspec,webmock).