chore(deps): update dependency jsonwebtoken to v9

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
jsonwebtoken	dependencies	major	^7.0.0 -> ^9.0.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
High	8.8	CVE-2018-3728	#468

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
High	8.1	CVE-2022-23539	#378
High	7.6	CVE-2022-23540	#395

---

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

v9.0.0

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

v8.5.1

Compare Source

Bug fix

• fix: ensure correct PS signing and verification (#​585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #​585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

v8.5.0

Compare Source

New Functionality

• feat: add PS JWA support for applicable node versions (#​573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #​573
• Add complete option in jwt.verify (#​522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #​522

Test Improvements

• Add tests for private claims in the payload (#​555) (5147852896755dc1291825e2e40556f964411fb2), closes #​555
• Force use_strict during testing (#​577) (7b60c127ceade36c33ff33be066e435802001c94), closes #​577
• Refactor tests related to jti and jwtid (#​544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #​544
• ci: remove nsp from tests (#​569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #​569

Docs

• Fix 'cert' token which isn't a cert (#​554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #​554

v8.4.0

Compare Source

New Functionality

• Add verify option for nonce validation (#​540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #​540

Bug Fixes

• Updating Node version in Engines spec in package.json (#​528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #​528 #​509
• Fixed error message when empty string passed as expiresIn or notBefore option (#​531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #​531

Docs

• Update README.md (#​527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #​527
• Update README.md (#​538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #​538
• Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#​548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #​548
• Document NotBeforeError (#​529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #​529

Test Improvements

• Use lolex for faking date in tests (#​491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #​491
• Update dependencies used for running tests (#​518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #​518
• Minor test refactoring for recently added tests (#​504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #​504
• Create and implement async/sync test helpers (#​523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #​523
• Refactor tests related to audience and aud (#​503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #​503
• Refactor tests related to expiresIn and exp (#​501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #​501
• Refactor tests related to iat and maxAge (#​507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #​507
• Refactor tests related to iss and issuer (#​543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #​543
• Refactor tests related to kid and keyid (#​545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #​545
• Refactor tests related to notBefore and nbf (#​497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #​497
• Refactor tests related to subject and sub (#​505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #​505
• Implement async/sync tests for exp claim (#​536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #​536
• Implement async/sync tests for nbf claim (#​537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #​537
• Implement async/sync tests for sub claim (#​534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #​534
• Implement async/sync tests for the aud claim (#​535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #​535

CI

• Added Istanbul to check test-coverage (#​468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #​468
• Complete ESLint conversion and cleanup (#​490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #​490
• Make code-coverage mandatory when running tests (#​495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #​495

v8.3.0

Compare Source

• docs: add some clarifications (#​473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #​473
• ci: fix ci execution, remove not needed script (#​472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #​472
• new feature: Secret callback revisited (#​480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #​480
• docs:Update README.md (#​461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #​461

v8.2.2

Compare Source

• security: deps: jws@3.1.5 (#​477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #​465
• docs: add some clarifications (#​473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #​473
• ci: fix ci execution, remove not needed script (#​472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #​472
• docs: Update README.md (#​461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #​461

v8.2.1

Compare Source

• bug fix: Check payload is not null when decoded. (#​444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
• docs: Clarify that buffer/string payloads must be JSON (#​442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)

v8.2.0

Compare Source

• Add a new mutatePayload option (#​446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)

v8.1.1

Compare Source

• ci: add newer node versions to build matrix (#​428) (83f3eee44e122da06f812d7da4ace1fa26c24d9d)
• deps: Bump ms version to add support for negative numbers (#​438) (25e0e624545eaef76f3c324a134bf103bc394724)
• docs: Minor typo (#​424) (dddcb73ac05de11b81feeb629f6cf78dd03d2047)
• bug fix: Not Before (nbf) calculated based on iat/timestamp (#​437) (2764a64908d97c043d62eba0bf6c600674f9a6d6), closes #​435

v8.1.0

Compare Source

• #​402: Don't fail if captureStackTrace is not a function (#​410) (77ee965d9081faaf21650f266399f203f69533c5)
• #​403: Clarify error wording for "Expected object" error. (#​409) (bb27eb346f0ff675a320b2de16b391a7cfeadc58)
• Enhance audience check to verify against regular expressions (#​398) (81501a17da230af7b74a3f7535ab5cd3a19c8315)

v8.0.1

Compare Source

• Remove lodash.isarray dependency (#​394) (7508e8957cb1c778f72fa9a363a7b135b3c9c36d)

v8.0.0

Compare Source

Breaking changes: See Migration notes from v7

• docs: readme, migration notes (12cd8f7f47224f904f6b8f39d1dee73775de4f6f)
• verify: remove process.nextTick (#​302) (3305cf04e3f674b9fb7e27c9b14ddd159650ff82)
• Reduce size of NPM package (#​347) (0be5409ac6592eeaae373dce91ec992fa101bd8a)
• Remove joi to shrink module size (#​348) (2e7e68dbd59e845cdd940afae0a296f48438445f)
• maxAge: Add validation to timespan result (66a4f8b996c8357727ce62a84605a005b2f5eb18)

v7.4.3

Compare Source

• Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style) (PR 386)

v7.4.2

Compare Source

• bugfix: sign: add check to be sure secret has a value (c584d1cbc34b788977b36f17cd57ab2212f1230e)
• docs: about refreshing tokens (016fc10b847bfbb76b82171cb530f32d7da2001b)
• docs: verifying with base64 encoded secrets (c25e9906801f89605080cc71b3ee23a5e45a5811)
• tests: Add tests for ES256 (89900ea00735f76b04f437c9f542285b420fa9cb)
• docs: document keyid as option (#​361) (00086c2c006d7fc1a47bae02fa87d194d79aa558)
• docs: readme: Using private key with passpharase (#​353) (27a7f1d4f35b662426ff0270526d48658da4c8b7)

v7.4.1

Compare Source

• bump ms to v2 due a ReDoS vulnerability (#​352) (adcfd6ae4088c838769d169f8cd9154265aa13e0)

v7.4.0

Compare Source

• Add docs about numeric date fields (659f73119900a4d837650d9b3f5af4e64a2f843b)
• Make Options object optional for callback-ish sign (e202c4fd00c35a24e9ab606eab89186ade13d0cc)

v7.3.0

Compare Source

• Add more information to maxAge option in README (1b0592e99cc8def293eed177e2575fa7f1cf7aa5)
• Add clockTimestamp option to verify() you can set the current time in seconds with it (#​274) (8fdc1504f4325e7003894ffea078da9cba5208d9)
• Fix handling non string tokens on verify() input (#​305) (1b6ec8d466504f58c5a6e2dae3360c828bad92fb), closes #​305
• Fixed a simple typo in docs (#​287) (a54240384e24e18c00e75884295306db311d0cb7), closes #​287
• Raise jws.decode error to avoid confusion with "invalid token" error (#​294) (7f68fe06c88d5c5653785bd66bc68c5b20e1bd8e)
• rauchg/ms.js changed to zeit/ms (#​303) (35d84152a6b716d757cb5b1dd3c79fe3a1bc0628)

v7.2.1

Compare Source

• add nsp check to find vulnerabilities on npm test (4219c34b5346811c07f520f10516cc495bcc70dd)
• revert to joi@^6 to keep ES5 compatibility (51d4796c07344bf817687f7ccfeef78f00bf5b4f)

v7.2.0

Compare Source

• improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)
• Restructured a sentence (ccc7610187a862f7a50177eadc9152eef26cd065)
• Allow keyid on sign. (b412be91b89acb3a742bb609d3b54e47e1dfc441)
• upgrade joi (715e3d928023d414d45c6dc3f096a7c8448139ae)
• upgrade to latest nodes and Travis infrastructure (3febcc1dd23ecdec1abbf89313959941d15eb47a)

v7.1.10

Compare Source

• Bump node-jws version number (07813dd7194630c9f452684279178af76464a759)
• improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)

v7.1.9

Compare Source

• Revert "Merge branch 'venatir-master'" (d06359ef3b4e619680e043ee7c16adda16598f52)

v7.1.8

Compare Source

• Fixed tests, however typ: 'JWT' should not be in the options at all, so please review other tests (01903bcdc61b4ed429acbbd1fe0ffe0db364473b)
• Removing unnecessary extra decoding. jwtString is already verified as valid and signature checked (55d5834f7b637011e1d8b927ff78a92a5fd521cf)
• update changelog (5117aacd0118a10331889a64e61d8186112d8a23)

v7.1.7

Compare Source

• Use lodash.once instead of unlicensed/unmaintained cb (3ac95ad93ef3068a64e03d8d14deff231b1ed529)

v7.1.6

Compare Source

• fix issue with buffer payload. closes #​216 (6b50ff324b4dfd2cb0e49b666f14a6672d015b22), closes #​216

v7.1.5

Compare Source

• update jws in package.json (b6260951eefc68aae5f4ede359210761f901ff7a)

v7.1.3

Compare Source

v7.1.1

Compare Source

• Bump node-jws version number (07813dd7194630c9f452684279178af76464a759)
• improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)

v7.1.0

Compare Source

• Exp calculated based on iat. fix #​217 (757a16e0e35ad19f9e456820f55d5d9f3fc76aee), closes #​217

v7.0.1

Compare Source

---

• If you want to rebase/retry this PR, check this box