Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downstream dependency has vulnerability #944

Closed
jdforsythe opened this issue Jun 29, 2023 · 3 comments · Fixed by #1018
Closed

Downstream dependency has vulnerability #944

jdforsythe opened this issue Jun 29, 2023 · 3 comments · Fixed by #1018
Labels
status: waiting for feedback waiting for feedback from the submitter type: security known security issue

Comments

@jdforsythe
Copy link

Issue Summary

A summary of the issue and the environment in which it occurs. If suitable, include the steps required to reproduce the bug. Please feel free to include screenshots, screencasts, or code examples.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ twilio                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ twilio > jsonwebtoken > semver                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092310                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps to Reproduce

  1. This is the first step
  2. This is the second step
  3. Further steps, etc.

Code Snippet

# paste code here

Exception/Log

# paste exception/log here

Technical details:

  • twilio-node version:
  • node version:
@AsabuHere
Copy link
Contributor

Hi @jdforsythe,
Thank you for the heads up!
Our team has reviewed the twilio-node repository and dont see semVer dependency added here. Can you please share more details on where is it used?

Thanks,
Athira

@AsabuHere AsabuHere added type: security known security issue status: waiting for feedback waiting for feedback from the submitter labels Jul 5, 2023
@jdforsythe
Copy link
Author

@AsabuHere You have a dependency on jsonwebtoken which, in turn, has a dependency on semver. The version they depend on is vulnerable.

Issue:
auth0/node-jsonwebtoken#905

PR for jsonwebtoken:
auth0/node-jsonwebtoken#919

Once a new version of jsonwebtoken is released with the dependency updated, you'll just need to update your dependency to a new version of jsonwebtoken.

@tiwarishubham635 tiwarishubham635 mentioned this issue Apr 6, 2024
Merged
8 tasks
@tiwarishubham635
Copy link
Contributor

Created a PR for this change. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting for feedback waiting for feedback from the submitter type: security known security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: upgrading jsonwebtoken to fix vulnerability twilio/twilio-node
3 participants
@jdforsythe @tiwarishubham635 @AsabuHere