CVE on dependencies #21
Labels
bug
Something isn't working
Comments
|
Is there action being taken on this? It's breaking CI/CD flows. Snyk flags it. |
|
The vulnerable jsonwebtoken version is also a dev dependency of the njwt package used by this project. There is no fixed version of the njwt package available, and it is apparently not currently maintained - see comments on this PR. Please can we have an update on what action (if any) is being taken to remediate this? |
|
thanks all for your patience, we have released an update (3.0.0) which upgrades the vulnerable dependencies |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug?
Hello,
Multiple CVE have been reported on the jsonwebtoken package, all have been fixed in the latest release (more details here )
Unfortunately this project use a version of the jwks-rsa package that doesn't use the latest version of the jsonwebtoken package.
In version 3.0.0, jwks-rsa doesn't use jsonwebtoken as a dependencies anymore.
What is expected to happen?
Use the latest version of jwks-rsa (> 3)
What is the actual behavior?
Doesn't use the latest version of jwks-rsa (< 3)
Reproduction Steps?
Install the package
SDK Versions
2.6.0
Execution Environment
N/A
Additional Information?
No response
The text was updated successfully, but these errors were encountered: