You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vulnerable jsonwebtoken version is also a dev dependency of the njwt package used by this project. There is no fixed version of the njwt package available, and it is apparently not currently maintained - see comments on this PR.
Please can we have an update on what action (if any) is being taken to remediate this?
Describe the bug?
Hello,
Multiple CVE have been reported on the jsonwebtoken package, all have been fixed in the latest release (more details here )
Unfortunately this project use a version of the jwks-rsa package that doesn't use the latest version of the jsonwebtoken package.
In version 3.0.0, jwks-rsa doesn't use jsonwebtoken as a dependencies anymore.
What is expected to happen?
Use the latest version of jwks-rsa (> 3)
What is the actual behavior?
Doesn't use the latest version of jwks-rsa (< 3)
Reproduction Steps?
Install the package
SDK Versions
2.6.0
Execution Environment
N/A
Additional Information?
No response
The text was updated successfully, but these errors were encountered: