Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update jsonwebtoken dependency #374

Merged
merged 1 commit into from
Jan 5, 2023
Merged

update jsonwebtoken dependency #374

merged 1 commit into from
Jan 5, 2023

Conversation

AntoineAA
Copy link
Contributor

Update jsonwebtoken dependency to address

  • jsonwebtoken unrestricted key type could lead to legacy keys usage - GHSA-8cf7-32gw-wr33
  • jsonwebtoken has insecure input validation in jwt.verify function - GHSA-27h2-hvpr-p74q
  • jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - GHSA-hjrf-2m68-5959
  • jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - GHSA-qwph-4952-7xr6

@nelsonic nelsonic self-assigned this Jan 3, 2023
@maheshupasani
Copy link

@nelsonic when this PR will get closed ?

@diego-deriv
Copy link

Will be nice to have this Merged

@nelsonic nelsonic mentioned this pull request Jan 4, 2023
Closed
@nelsonic
Copy link
Member

nelsonic commented Jan 5, 2023

Hi Friends! 👋
Merging the PR is only part of the work. 🧑‍💻
I'm stoked that @AntoineAA made the time to create this 1-line PR. 🎉
But merging it will not automatically publish the new version to NPM.
That requires additional steps. ⌛
Which, I'm finally back at my "Node.js" computer and can do. 👍

nelsonic
nelsonic approved these changes Jan 5, 2023
View reviewed changes
Copy link
Member

@nelsonic nelsonic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @AntoineAA for making the time to update this. 🎉

@nelsonic nelsonic merged commit 0cf2b34 into dwyl:master Jan 5, 2023
@maheshupasani
Copy link

Thank you very much @nelsonic @AntoineAA

@nelsonic nelsonic mentioned this pull request Jan 5, 2023
Merged
3 tasks
@nelsonic
Copy link
Member

nelsonic commented Jan 5, 2023

@maheshupasani again, this is only the start of the update.
A 1-line update to package.json, while very welcome, does not publish the package to NPM.
That requires several extra steps: #375

image
https://xkcd.com/2347 |> https://www.explainxkcd.com/wiki/index.php/2347:_Dependency

nelsonic added a commit that referenced this pull request Jan 5, 2023
@nelsonic
add jsonwebtoken update to CHANGELOG.md #373 #374 #375
a025767
@nelsonic
Copy link
Member

nelsonic commented Jan 5, 2023

[email protected] published to NPM contains this update. 📦
Thanks again. 👌

@nelsonic
Copy link
Member

nelsonic commented Jan 5, 2023

https://www.npmjs.com/package/hapi-auth-jwt2/v/10.4.0

@maheshupasani
Copy link

Thank you @nelsonic

@AntoineAA
Copy link
Contributor Author

@nelsonic thanks for the package maintenance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nelsonic nelsonic nelsonic approved these changes

@maheshupasani maheshupasani maheshupasani approved these changes

Assignees

@nelsonic nelsonic

Labels
awaiting-review T25m technical
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AntoineAA @maheshupasani @diego-deriv @nelsonic