Update dependency jsonwebtoken to v4 [SECURITY] #6
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.3.0
->^4.2.2
GitHub Vulnerability Alerts
CVE-2015-9235
Versions 4.2.1 and earlier of
jsonwebtoken
are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.Recommendation
Update to version 4.2.2 or later.
Release Notes
auth0/node-jsonwebtoken
v4.2.2
Compare Source
Fixed
jfromaniello - awlayton
)auth0/node-jsonwebtoken@4027946
auth0/node-jsonwebtoken@8df6aab
v4.2.1
Compare Source
Fixed
jfromaniello
)auth0/node-jsonwebtoken@7017e74
v4.2.0
Compare Source
Security
When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family).
The issue was caused because the same signature was used to verify both type of tokens (
verify
method parameter:secretOrPublicKey
).This change adds a new parameter to the verify called
algorithms
. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the stringBEGIN CERTIFICATE
the default is[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]
otherwise is[ 'HS256','HS384','HS512' ]
. (jfromaniello
)auth0/node-jsonwebtoken@c2bf7b2
auth0/node-jsonwebtoken@1bb584b
v4.1.0
Compare Source
Changed
typ
property. 5290db1v4.0.0
Compare Source
Changed
encoding
as a new option tosign
. 1fc385eignoreExpiration
toverify
. 8d4da27expiresInSeconds
tosign
. dd156ccFixed
iat
andexp
values when signing withnoTimestamp
. 331b7bcv3.2.2
Compare Source
v3.2.1
Compare Source
v3.2.0
Compare Source
v3.1.1
Compare Source
v3.1.0
Compare Source
v3.0.0
Compare Source
v2.0.0
Compare Source
v1.1.2
Compare Source
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.