Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Upgrade to com.atlassian.jwt version 2.0.1 #534
Currently silhouette is using version 1.6.1 of the Atlassian JWT library, which in turn uses version 3.6 of nimbus-jose-jwt.
The problem is that this indirect dependency has three known CVEs:
Version 2.0.1 of the Atlassian JWT library uses a version of the nimbus library that is not vulnerable to these CVE entries. I would like to recommend that Silhouette be updated to use this newer version.