Node-jsonwebtoken: Security vulnerability caused by [email protected]

Created on 16 May 2018  路  4Comments  路  Source: auth0/node-jsonwebtoken

In our project, Snyk reported [email protected] as a dependency with a known security vulnerability, because it depends on [email protected].

The latest version of jws (3.1.5), no longer depends on the vulnerable dependency of [email protected].

More info about the high severity vulnerability in [email protected] can be found at https://snyk.io/vuln/npm:base64url:20180511

All 4 comments

@ziluvatar FYA

A simple deps update should not take 6 days

@kyrylkov the upgrade is already in this PR: https://github.com/auth0/node-jsonwebtoken/pull/466

Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.

I want to take a look to the fix from JWS first, I took a fast look yesterday and I'm not sure if the decoding works fine, but I want to do some checks before setting that version as default here, anyway, as I said, you could get it.

Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.

You are correct. Somehow a few days ago (after jws 3.1.5 was released), full re-installation of jsonwebtoken still pulled 3.1.4, but not anymore. Probably package-lock.json was not deleted before re-installation.

v8.2.2 released with this fixed. Thank you all!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

itamarwe picture itamarwe  路  3Comments

rockchalkwushock picture rockchalkwushock  路  4Comments

Sir-hennihau picture Sir-hennihau  路  4Comments

BarukhOr picture BarukhOr  路  4Comments

dwelle picture dwelle  路  3Comments