fix: Security upgrade jsonwebtoken from 8.5.1 to 9.0.0

[parseplatformorg]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade jsonwebtoken from 8.5.1 to 9.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 1 version ahead of your current version.
• The recommended version was released 5 months ago, on 2022-12-21.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	534/1000 Why? Has a fix available, CVSS 6.4	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	534/1000 Why? Has a fix available, CVSS 6.4	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	534/1000 Why? Has a fix available, CVSS 6.4	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: jsonwebtoken

• 9.0.0 - 2022-12-21
  

  • Check if node version supports asymmetricKeyDetails

  • Validate algorithms for ec key type

  • Rename variable

  • Rename function

  • Add early return for symmetric keys

  • Validate algorithm for RSA key type

  • Validate algorithm for RSA-PSS key type

  • Check key types for EdDSA algorithm

  • Rename function

  • Move validateKey function to module

  • Convert arrow to function notation

  • Validate key in verify function

  • Simplify if

  • Convert if to switch..case

  • Guard against empty key in validation

  • Remove empty line

  • Add lib to check modulus length

  • Add modulus length checks

  • Validate mgf1HashAlgorithm and saltLength

  • Check node version before using key details API

  • Use built-in modulus length getter

  • Fix Node version validations

  • Remove duplicate validateKey

  • Add periods to error messages

  • Fix validation in verify function

  • Make asymmetric key validation the latest validation step

  • Change key curve validation

  • Remove support for ES256K

  • Fix old test that was using wrong key types to sign tokens

  • Enable RSA-PSS for old Node versions

  • Add specific RSA-PSS validations on Node 16 LTS+

  • Improve error message

  • Simplify key validation code

  • Fix typo

  • Improve error message

  • Change var to const in test

  • Change const to let to avoid reassigning problem

  • Improve error message

  • Test incorrect private key type

  • Rename invalid to unsupported

  • Test verifying of jwt token with unsupported key

  • Test invalid private key type

  • Change order of object parameters

  • Move validation test to separate file

  • Move all validation tests to separate file

  • Add prime256v1 ec key

  • Remove modulus length check

  • WIP: Add EC key validation tests

  • Fix node version checks

  • Fix error message check on test

  • Add successful tests for EC curve check

  • Remove only from describe

  • Remove only

  • Remove duplicate block of code

  • Move variable to a different scope and make it const

  • Convert allowed curves to object for faster lookup

  • Rename variable

  • Change variable assignment order

  • Remove unused object properties

  • Test RSA-PSS happy path and wrong length

  • Add missing tests

  • Pass validation if no algorithm has been provided

  • Test validation of invalid salt length

  • Test error when signing token with invalid key

  • Change var to const/let in verify tests

  • Test verifying token with invalid key

  • Improve test error messages

  • Add parameter to skip private key validation

  • Replace DSA key with a 4096 bit long key

  • Test allowInvalidPrivateKeys in key signing

  • Improve test message

  • Rename variable

  • Add key validation flag tests

  • Fix variable name in Readme

  • Change private to public dsa key in verify

  • Rename flag

  • Run EC validation tests conditionally

  • Fix tests in old node versions

  • Ignore block of code from test coverage

  • Separate EC validations tests into two different ones

  • Add comment

  • Wrap switch in if instead of having an early return

  • Remove unsupported algorithms from asymmetric key validation

  • Rename option to allowInvalidAsymmetricKeyTypes and improve Readme

  • 9.0.0

  • adding migration notes to readme

  • adding changelog for version 9.0.0

  Co-authored-by: julienwoll julien.wollscheid@auth0.com

• 8.5.1 - 2019-03-18
  

  8.5.1

from jsonwebtoken GitHub release notes

Commit messages

Package name: jsonwebtoken

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
• 8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• 15a1bc4 refactor: make decode non-enumerable
• 5f10bf9 docs: add jwtid to options of jwt.verify (Is it possible to use dry-run parameter with this library? node-apn/node-apn#704)
• 88cb9df Replace tilde-indexOf with includes (Fix issue 543 by clearing health check interval on endpoint close node-apn/node-apn#647)
• a6235fa Adds not to README on decoded payload validation (Add support for critical alert sounds node-apn/node-apn#646)
• 5ed1f06 docs: fix tiny style change in readme (add info about where to get keyId node-apn/node-apn#622)
• 9fb90ca style: add missing semicolon (Fix Client.shutdown to use correct close function node-apn/node-apn#641)
• a9e38b8 ci: use circleci (Unprocessed notification node-apn/node-apn#589)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

Thanks for opening this pull request!

• ❌ Please link an issue that describes the reason for this pull request, otherwise your pull request will be closed. Make sure to write it as Closes: #123 in the PR description, so I can recognize it.

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.11 🎉

Comparison is base (650993d) 93.42% compared to head (32d6f1c) 93.53%.

❗ Current head 32d6f1c differs from pull request most recent head f56f106. Consider uploading reports for the commit f56f106 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #128      +/-   ##
==========================================
+ Coverage   93.42%   93.53%   +0.11%     
==========================================
  Files          23       23              
  Lines         578      588      +10     
==========================================
+ Hits          540      550      +10     
  Misses         38       38              

Impacted Files	Coverage Δ
lib/notification/index.js	100.00% <ø> (ø)
lib/notification/apsProperties.js	100.00% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[parseplatformorg]

🎉 This change has been released in version 5.2.1