New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 4 vulnerabilities #84

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-b436328fb166c2220975cdaf87a21d33

snyk-bot commented Dec 26, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	671/1000 Why? Recently disclosed, Has a fix available, CVSS 7.7	Improper Input Validation SNYK-JS-JSONWEBTOKEN-3180020	Yes	No Known Exploit
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	Yes	No Known Exploit
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	Yes	No Known Exploit
	526/1000 Why? Recently disclosed, Has a fix available, CVSS 4.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: express-jwt

The new version differs by 97 commits.

c69a0e4 update changelog
2157954 8.0.0
d8ffa02 upgrade jsonwebtoken to v9
c555b48 Merge pull request #306 from auth0/SRE-57-Upload-opslevel-yaml
172d07c 7.7.7
f79b001 7.7.6
076b3dc remove types for express-unless and update it. closes #307
0c87c3a Upload OpsLevel YAML
f0e41d6 Fix misspelled word in readme
45ba2e0 7.7.5
139aa05 update express-unless
2f99e2d 7.7.4
2242f01 update express-unless
eb50853 update changelog
c30feb4 7.7.3
c583fdd Merge branch 'ItzRabbs-master'
9ccf0cf Remove esModuleInterop and fix assert import in tests
e1fe1d2 Fix tsc build error for express-unless
7c1fb33 7.7.2
6c87fe4 fix instaceof comparison for UnauthorizedError. closes #292
b1344fa update changelog
c5f00ea 7.7.1
7a02ca7 fix readme and package-lock
f3f5af5 build(deps): required runtime types

See the full diff

Package name: jsonwebtoken

The new version differs by 17 commits.

e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
5eaedbf chore(ci): remove github test actions job (#861)
cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
7e6a86b Upload OpsLevel YAML (#849)
74d5719 docs: update references vercel/ms references (#770)
d71e383 docs: document "invalid token" error
3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
a46097e docs: make decode impossible to discover before verify
15a1bc4 refactor: make decode non-enumerable
5f10bf9 docs: add jwtid to options of jwt.verify (#704)
88cb9df Replace tilde-indexOf with includes (#647)
a6235fa Adds not to README on decoded payload validation (#646)
5ed1f06 docs: fix tiny style change in readme (#622)
9fb90ca style: add missing semicolon (#641)
a9e38b8 ci: use circleci (#589)

See the full diff

Package name: jwks-rsa

The new version differs by 111 commits.

1e3ba06 Removes babel (#226)
9c4fddf Update README.md
914dd42 V2 Release (#225)
06217d7 fix: missing export (#217)
8dc9698 Update cov path (#224)
b66e83f Simplify request wrapper (#218)
2408cac Add alg to SigningKey types (#220)
596e944 Merge pull request #221 from auth0/fix-package-lock
9148f51 jfrog -> npmjs
589dde8 Pinning Node Engine Versions (#212)
dab5112 Release 1.12.2 (#213)
61d4343 full JWK/JWS support (#205)
818d061 Release v1.12.1 (#209)
3bbe93f Bump Axios to ^0.21.1 (#208)
6fa1db0 Add types for agent options used by ExpressJwtOptions (#206)
ee90de2 Fix PR link in changelog (#207)
26d760b Release 1.12.0 (#204)
4446484 Provides an alternative source for keysets (#202)
6cfa98f Add functionality to allow directly provided jwt keysets (#191)
c5b58c5 Setup pull-request and issue templates (#198)
5312f44 docs: Fix 'cacheMaxAge' default value in README (#196)
8c480f4 Setup pull-request and issue templates (#195)
b2e7a10 Setup the CODEOWNERS for pull request reviews (#194)
e6a49c3 1.11.0 Release (#193)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Use of a Broken or Risky Cryptographic Algorithm


          fix: package.json & package-lock.json to reduce vulnerabilities

18c8182

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment