Update dependency jsonwebtoken to v9 - autoclosed #5

mend-for-github-com · 2022-12-23T01:10:11Z

This PR contains the following updates:

Package	Type	Update	Change
jsonwebtoken	dependencies	major	`^8.4.0` -> `^9.0.0`

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
High	8.1	CVE-2022-23539
High	7.6	CVE-2022-23540
Medium	6.3	CVE-2022-23541

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

`v9.0.0`

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

Removed support for Node versions 11 and below.
The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
Key types must be valid for the signing / verification algorithm

Security fixes

security: fixes Arbitrary File Write via verify function - CVE-2022-23529
security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

`v8.5.1`

Compare Source

Bug fix

fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

`v8.5.0`

Compare Source

New Functionality

feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

If you want to rebase/retry this PR, check this box

Update dependency jsonwebtoken to v9

35c31fa

mend-for-github-com bot added the security fix Security fix generated by Mend label Dec 23, 2022

mend-for-github-com bot changed the title ~~Update dependency jsonwebtoken to v9~~ Update dependency jsonwebtoken to v9 - autoclosed Apr 30, 2024

mend-for-github-com bot closed this Apr 30, 2024

mend-for-github-com bot deleted the whitesource-remediate/jsonwebtoken-9.x branch April 30, 2024 04:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency jsonwebtoken to v9 - autoclosed #5

Update dependency jsonwebtoken to v9 - autoclosed #5

mend-for-github-com bot commented Dec 23, 2022 •

edited

Loading

Update dependency jsonwebtoken to v9 - autoclosed #5

Update dependency jsonwebtoken to v9 - autoclosed #5

Conversation

mend-for-github-com bot commented Dec 23, 2022 • edited Loading

Release Notes

v9.0.0

Breaking changes

Security fixes

v8.5.1

Bug fix

Docs

v8.5.0

New Functionality

Test Improvements

Docs

mend-for-github-com bot commented Dec 23, 2022 •

edited

Loading

`v9.0.0`

`v8.5.1`

`v8.5.0`