chore(deps): update dependency fast-jwt to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
fast-jwt	^5.0.0 → ^6.0.0

GitHub Vulnerability Alerts

CVE-2026-35039

Impact

Setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to:

• Valid tokens returning claims from different valid tokens
• Users being mis-identified as other users based on the wrong token

This could result in:

• User impersonation - UserB receives UserA's identity and permissions
• Privilege escalation - Low-privilege users inherit admin-level access
• Cross-tenant data access - Users gain access to other tenants' resources
• Authorization bypass - Security decisions made on wrong user identity

Affected Configurations

This vulnerability ONLY affects applications that BOTH:

1. Enable caching using the cache option
2. Use custom cacheKeyBuilder functions that can produce collisions

VULNERABLE examples:

// Collision-prone: same audience = same cache key
cacheKeyBuilder: (token) => {
  const { aud } = parseToken(token)
  return `aud=${aud}`
}

// Collision-prone: grouping by user type
cacheKeyBuilder: (token) => {
  const { aud } = parseToken(token)
  return aud.includes('admin') ? 'admin-users' : 'regular-users'
}

// Collision-prone: tenant + service grouping
cacheKeyBuilder: (token) => {
  const { iss, aud } = parseToken(token)
  return `${iss}-${aud}`
}

SAFE examples:

// Default hash-based (recommended)
createVerifier({ cache: true })  // Uses secure default

// Include unique user identifier
cacheKeyBuilder: (token) => {
  const { sub, aud, iat } = parseToken(token)
  return `${sub}-${aud}-${iat}`
}

// No caching (always safe)
createVerifier({ cache: false })

Not Affected

• Applications using default caching
• Applications with caching disabled

Assessment Guide

To determine if a consumer application is affected:

1. Check if caching is enabled: Look for cache: true or cache: in verifier configuration
2. Check for custom cache key builders: Look for cacheKeyBuilder function in configuration
3. Analyze collision potential: Review if the application's cacheKeyBuilder can produce identical keys for different users/tokens
4. If no custom cacheKeyBuilder: The project is NOT affected (default is safe)

Mitigations

While fast-jwt will look to include a fix for this in the next version, immediate mitigations include:

• Ensure uniqueness of keys produced in cacheKeyBuilder
• Remove custom cacheKeyBuilder method
• Disable caching

---

Release Notes

nearform/fast-jwt (fast-jwt)

v6.1.0

Compare Source

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.2 by @​optic-release-automation[bot] in #​564
• chore(deps-dev): bump @​types/node from 22.15.32 to 24.0.3 by @​dependabot[bot] in #​565
• chore(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in #​567
• chore: import crypto once by @​ilteoood in #​568
• chore: migrate to OIDC publishing for npm releases by @​zibs in #​569
• feat: expose TOKEN_ERROR_CODES and derive duplicated error code types from it by @​wopian in #​573

New Contributors

• @​zibs made their first contribution in #​569
• @​wopian made their first contribution in #​573

Full Changelog: nearform/fast-jwt@v6.0.2...v6.1.0

v6.0.2

Compare Source

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.1 by @​optic-release-automation in #​557
• chore(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot in #​558
• docs: Add error handling section with examples by @​simoneb in #​561
• Fix: error constructor in declaration file by @​atlowChemi in #​562

New Contributors

• @​atlowChemi made their first contribution in #​562

Full Changelog: nearform/fast-jwt@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.0 by @​optic-release-automation in #​554
• feature: support negative expiresIn when signing tokens by @​agubler in #​556

Full Changelog: nearform/fast-jwt@v6.0.0...v6.0.1

v6.0.0

Compare Source

BREAKING CHANGES

This is a semver major release containing breaking changes to address more thoroughly the security vulnerability fixed in v5.0.6, which only fixed the vulnerability without introducing breaking changes.

This release takes it one step further by adhering more closely to the JWT specification.

More specifically, verification now expects all claims except for the aud claim to be single values, instead of supporting arrays of values.

This is a breaking change because JWTs containing claims in array format (with the exception of aud), now cause verification errors, while they were previously allowed.

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v5.0.6 by @​optic-release-automation in #​551
• feat!: align claim validation to specification by @​agubler in #​553

New Contributors

• @​agubler made their first contribution in #​553

Full Changelog: nearform/fast-jwt@v5.0.6...v6.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.