In our project, Snyk reported [email protected] as a dependency with a known security vulnerability, because it depends on [email protected].
The latest version of jws (3.1.5), no longer depends on the vulnerable dependency of [email protected].
More info about the high severity vulnerability in [email protected] can be found at https://snyk.io/vuln/npm:base64url:20180511
@ziluvatar FYA
A simple deps update should not take 6 days
@kyrylkov the upgrade is already in this PR: https://github.com/auth0/node-jsonwebtoken/pull/466
Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.
I want to take a look to the fix from JWS first, I took a fast look yesterday and I'm not sure if the decoding works fine, but I want to do some checks before setting that version as default here, anyway, as I said, you could get it.
Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.
You are correct. Somehow a few days ago (after jws 3.1.5 was released), full re-installation of jsonwebtoken still pulled 3.1.4, but not anymore. Probably package-lock.json was not deleted before re-installation.
v8.2.2 released with this fixed. Thank you all!