From 3fe2a394289a95abe3a0e5d3ee9bf90fcce89c11 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 10 Jan 2024 18:47:42 +0000 Subject: [PATCH] fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/npm:base64url:20180511 --- package-lock.json | 169 +++++++++++++++++++++++++--------------------- package.json | 4 +- 2 files changed, 93 insertions(+), 80 deletions(-) diff --git a/package-lock.json b/package-lock.json index 317bb49bccc..177762721ba 100644 --- a/package-lock.json +++ b/package-lock.json @@ -36,7 +36,7 @@ "download": "^8.0.0", "errorhandler": "^1.5.1", "express": "^4.17.1", - "express-jwt": "0.1.3", + "express-jwt": "^3.0.0", "express-rate-limit": "^5.1.3", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -58,7 +58,7 @@ "is-heroku": "^2.0.0", "is-windows": "^1.0.2", "js-yaml": "^3.14.0", - "jsonwebtoken": "0.4.0", + "jsonwebtoken": "^5.0.0", "jssha": "^3.1.1", "juicy-chat-bot": "~0.6.0", "libxmljs2": "^0.26.4", @@ -3252,11 +3252,6 @@ "node": "^4.5.0 || >= 5.9" } }, - "node_modules/base64url": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/base64url/-/base64url-0.0.6.tgz", - "integrity": "sha1-lZezazMNscQkdzIuqH6oAnSZuCs=" - }, "node_modules/basic-auth": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/basic-auth/-/basic-auth-1.1.0.tgz", @@ -3647,6 +3642,11 @@ "node": ">=0.4.0" } }, + "node_modules/buffer-equal-constant-time": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz", + "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==" + }, "node_modules/buffer-fill": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/buffer-fill/-/buffer-fill-1.0.0.tgz", @@ -5371,6 +5371,14 @@ "safer-buffer": "^2.1.0" } }, + "node_modules/ecdsa-sig-formatter": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz", + "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==", + "dependencies": { + "safe-buffer": "^5.0.1" + } + }, "node_modules/ecstatic": { "version": "3.3.2", "resolved": "https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz", @@ -6885,33 +6893,22 @@ } }, "node_modules/express-jwt": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/express-jwt/-/express-jwt-0.1.3.tgz", - "integrity": "sha1-fHgiH4udchBq/1VqiluOhS1BsS8=", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/express-jwt/-/express-jwt-3.0.0.tgz", + "integrity": "sha512-fencYCBrlLlaYuKvE9WEcd4RFgVWcRd0Ef0aBEx8S0vAQa2nyWWmIOrwsclxIB5pPHjO+d3yCBYSo025+CtiRA==", "dependencies": { - "jsonwebtoken": "~0.1.0" + "async": "^0.9.0", + "express-unless": "0.0.0", + "jsonwebtoken": "^5.0.0" }, "engines": { "node": ">= 0.4.0" } }, - "node_modules/express-jwt/node_modules/jsonwebtoken": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-0.1.0.tgz", - "integrity": "sha1-UFYoSSCS/jXQi2APpnaM0GcRqqI=", - "deprecated": "Critical vulnerability fix in v5.0.0. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", - "dependencies": { - "jws": "~0.2.2", - "moment": "~2.0.0" - } - }, - "node_modules/express-jwt/node_modules/moment": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/moment/-/moment-2.0.0.tgz", - "integrity": "sha1-K7xbRMMhg3aTq278rb1G7ZRiEf4=", - "engines": { - "node": "*" - } + "node_modules/express-jwt/node_modules/async": { + "version": "0.9.2", + "resolved": "https://registry.npmjs.org/async/-/async-0.9.2.tgz", + "integrity": "sha512-l6ToIJIotphWahxxHyzK9bnLR6kM4jJIIgLShZeqLY7iboHoGkdgFl7W2/Ivi4SkMJYGKqW8vSuk0uKUj6qsSw==" }, "node_modules/express-rate-limit": { "version": "5.5.1", @@ -6931,6 +6928,11 @@ "resolved": "https://registry.npmjs.org/express-security.txt/-/express-security.txt-2.0.0.tgz", "integrity": "sha512-DwjS7MssPbqTFddZfTqNqyfsq6AUP1A/BytamSeoL0Ai7/alHYsAgxE4zhvoPt6MjoroXkSqq1gStQqxsiaF7A==" }, + "node_modules/express-unless": { + "version": "0.0.0", + "resolved": "https://registry.npmjs.org/express-unless/-/express-unless-0.0.0.tgz", + "integrity": "sha512-JDbC+epHXULwJ1GgCqL3qo/L5ElbhHGWBgEtbbJbF9ZqZLhXqDh70aPj8jmC+MT1ilhhM43AN3BCJKERlKTyTg==" + }, "node_modules/express/node_modules/safe-buffer": { "version": "5.2.1", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", @@ -12084,12 +12086,14 @@ } }, "node_modules/jsonwebtoken": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-0.4.0.tgz", - "integrity": "sha1-ffpErIpYjhbgRTyB8Rq2rd0HQv4=", - "deprecated": "Critical vulnerability fix in v5.0.0. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-5.0.0.tgz", + "integrity": "sha512-ADWSQxWTyk5cjcZgZ1G7mB6jzJxhUFXclsILeiC2jmCIBFDsaTFfL4Wg+VTnZLwEZ4lFINjTEx//fsYRE4A/dw==", "dependencies": { - "jws": "~0.2.2" + "jws": "^3.0.0" + }, + "engines": { + "npm": ">=1.4.28" } }, "node_modules/jsprim": { @@ -12171,21 +12175,22 @@ "dev": true }, "node_modules/jwa": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/jwa/-/jwa-0.0.1.tgz", - "integrity": "sha1-LQX1TWjxcGSMMP5FlEcxo4jNB8w=", + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.1.tgz", + "integrity": "sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==", "dependencies": { - "base64url": "~0.0.3" + "buffer-equal-constant-time": "1.0.1", + "ecdsa-sig-formatter": "1.0.11", + "safe-buffer": "^5.0.1" } }, "node_modules/jws": { - "version": "0.2.6", - "resolved": "https://registry.npmjs.org/jws/-/jws-0.2.6.tgz", - "integrity": "sha1-6bfprI0qwQZ0EyM7xsIPvYho6bo=", - "deprecated": "Security update: Versions below 3.0.0 are deprecated.", + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz", + "integrity": "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==", "dependencies": { - "base64url": "0.0.6", - "jwa": "0.0.1" + "jwa": "^1.4.1", + "safe-buffer": "^5.0.1" } }, "node_modules/keyv": { @@ -22533,11 +22538,6 @@ "resolved": "https://registry.npmjs.org/base64id/-/base64id-2.0.0.tgz", "integrity": "sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog==" }, - "base64url": { - "version": "0.0.6", - "resolved": "https://registry.npmjs.org/base64url/-/base64url-0.0.6.tgz", - "integrity": "sha1-lZezazMNscQkdzIuqH6oAnSZuCs=" - }, "basic-auth": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/basic-auth/-/basic-auth-1.1.0.tgz", @@ -22861,6 +22861,11 @@ "resolved": "https://registry.npmjs.org/buffer-equal/-/buffer-equal-0.0.1.tgz", "integrity": "sha1-kbx0sR6kBbyRa8aqkI+q+ltKrEs=" }, + "buffer-equal-constant-time": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz", + "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==" + }, "buffer-fill": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/buffer-fill/-/buffer-fill-1.0.0.tgz", @@ -24238,6 +24243,14 @@ "safer-buffer": "^2.1.0" } }, + "ecdsa-sig-formatter": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz", + "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==", + "requires": { + "safe-buffer": "^5.0.1" + } + }, "ecstatic": { "version": "3.3.2", "resolved": "https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz", @@ -25417,26 +25430,19 @@ } }, "express-jwt": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/express-jwt/-/express-jwt-0.1.3.tgz", - "integrity": "sha1-fHgiH4udchBq/1VqiluOhS1BsS8=", + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/express-jwt/-/express-jwt-3.0.0.tgz", + "integrity": "sha512-fencYCBrlLlaYuKvE9WEcd4RFgVWcRd0Ef0aBEx8S0vAQa2nyWWmIOrwsclxIB5pPHjO+d3yCBYSo025+CtiRA==", "requires": { - "jsonwebtoken": "~0.1.0" + "async": "^0.9.0", + "express-unless": "0.0.0", + "jsonwebtoken": "^5.0.0" }, "dependencies": { - "jsonwebtoken": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-0.1.0.tgz", - "integrity": "sha1-UFYoSSCS/jXQi2APpnaM0GcRqqI=", - "requires": { - "jws": "~0.2.2", - "moment": "~2.0.0" - } - }, - "moment": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/moment/-/moment-2.0.0.tgz", - "integrity": "sha1-K7xbRMMhg3aTq278rb1G7ZRiEf4=" + "async": { + "version": "0.9.2", + "resolved": "https://registry.npmjs.org/async/-/async-0.9.2.tgz", + "integrity": "sha512-l6ToIJIotphWahxxHyzK9bnLR6kM4jJIIgLShZeqLY7iboHoGkdgFl7W2/Ivi4SkMJYGKqW8vSuk0uKUj6qsSw==" } } }, @@ -25456,6 +25462,11 @@ "resolved": "https://registry.npmjs.org/express-security.txt/-/express-security.txt-2.0.0.tgz", "integrity": "sha512-DwjS7MssPbqTFddZfTqNqyfsq6AUP1A/BytamSeoL0Ai7/alHYsAgxE4zhvoPt6MjoroXkSqq1gStQqxsiaF7A==" }, + "express-unless": { + "version": "0.0.0", + "resolved": "https://registry.npmjs.org/express-unless/-/express-unless-0.0.0.tgz", + "integrity": "sha512-JDbC+epHXULwJ1GgCqL3qo/L5ElbhHGWBgEtbbJbF9ZqZLhXqDh70aPj8jmC+MT1ilhhM43AN3BCJKERlKTyTg==" + }, "ext": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/ext/-/ext-1.6.0.tgz", @@ -29355,11 +29366,11 @@ } }, "jsonwebtoken": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-0.4.0.tgz", - "integrity": "sha1-ffpErIpYjhbgRTyB8Rq2rd0HQv4=", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-5.0.0.tgz", + "integrity": "sha512-ADWSQxWTyk5cjcZgZ1G7mB6jzJxhUFXclsILeiC2jmCIBFDsaTFfL4Wg+VTnZLwEZ4lFINjTEx//fsYRE4A/dw==", "requires": { - "jws": "~0.2.2" + "jws": "^3.0.0" } }, "jsprim": { @@ -29432,20 +29443,22 @@ "dev": true }, "jwa": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/jwa/-/jwa-0.0.1.tgz", - "integrity": "sha1-LQX1TWjxcGSMMP5FlEcxo4jNB8w=", + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/jwa/-/jwa-1.4.1.tgz", + "integrity": "sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==", "requires": { - "base64url": "~0.0.3" + "buffer-equal-constant-time": "1.0.1", + "ecdsa-sig-formatter": "1.0.11", + "safe-buffer": "^5.0.1" } }, "jws": { - "version": "0.2.6", - "resolved": "https://registry.npmjs.org/jws/-/jws-0.2.6.tgz", - "integrity": "sha1-6bfprI0qwQZ0EyM7xsIPvYho6bo=", + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz", + "integrity": "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==", "requires": { - "base64url": "0.0.6", - "jwa": "0.0.1" + "jwa": "^1.4.1", + "safe-buffer": "^5.0.1" } }, "keyv": { diff --git a/package.json b/package.json index afe094904e7..6e13b349bc2 100644 --- a/package.json +++ b/package.json @@ -110,7 +110,7 @@ "download": "^8.0.0", "errorhandler": "^1.5.1", "express": "^4.17.1", - "express-jwt": "0.1.3", + "express-jwt": "3.0.0", "express-rate-limit": "^5.1.3", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -132,7 +132,7 @@ "is-heroku": "^2.0.0", "is-windows": "^1.0.2", "js-yaml": "^3.14.0", - "jsonwebtoken": "0.4.0", + "jsonwebtoken": "5.0.0", "jssha": "^3.1.1", "juicy-chat-bot": "~0.6.0", "libxmljs2": "^0.26.4",