samples
samples copied to clipboard
ampproject
Update dependency jsonwebtoken to v9 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| jsonwebtoken | ^8.0.0 -> ^9.0.0 |
GitHub Vulnerability Alerts
CVE-2022-23540
Overview
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Am I affected?
You will be affected if all the following are true in the jwt.verify() function:
- a token with no signature is received
- no algorithms are specified
- a falsy (e.g. null, false, undefined) secret or key is passed
How do I fix it?
Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.
Will the fix impact my users?
There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.
Release Notes
auth0/node-jsonwebtoken (jsonwebtoken)
v9.0.0
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16) - RSA key size must be 2048 bits or greater. ([
ecdf6cc]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6) - Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage- CVE-2022-23539
v8.5.1
Bug fix
- fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585
Docs
- README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)
v8.5.0
New Functionality
- feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
- Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522
Test Improvements
- Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
- Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
- Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
- ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569
Docs
- Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554
v8.4.0
New Functionality
- Add verify option for nonce validation (#540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #540
Bug Fixes
- Updating Node version in Engines spec in package.json (#528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #528 #509
- Fixed error message when empty string passed as expiresIn or notBefore option (#531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #531
Docs
- Update README.md (#527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #527
- Update README.md (#538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #538
- Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #548
- Document NotBeforeError (#529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #529
Test Improvements
- Use lolex for faking date in tests (#491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #491
- Update dependencies used for running tests (#518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #518
- Minor test refactoring for recently added tests (#504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #504
- Create and implement async/sync test helpers (#523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #523
- Refactor tests related to audience and aud (#503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #503
- Refactor tests related to expiresIn and exp (#501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #501
- Refactor tests related to iat and maxAge (#507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #507
- Refactor tests related to iss and issuer (#543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #543
- Refactor tests related to kid and keyid (#545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #545
- Refactor tests related to notBefore and nbf (#497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #497
- Refactor tests related to subject and sub (#505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #505
- Implement async/sync tests for exp claim (#536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #536
- Implement async/sync tests for nbf claim (#537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #537
- Implement async/sync tests for sub claim (#534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #534
- Implement async/sync tests for the aud claim (#535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #535
CI
- Added Istanbul to check test-coverage (#468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #468
- Complete ESLint conversion and cleanup (#490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #490
- Make code-coverage mandatory when running tests (#495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #495
v8.3.0
- docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
- ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
- new feature: Secret callback revisited (#480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #480
- docs:Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461
v8.2.2
- security: deps: [email protected] (#477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #465
- docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
- ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
- docs: Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461
v8.2.1
- bug fix: Check payload is not null when decoded. (#444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
- docs: Clarify that buffer/string payloads must be JSON (#442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)
v8.2.0
- Add a new mutatePayload option (#446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)
v8.1.1
- ci: add newer node versions to build matrix (#428) (83f3eee44e122da06f812d7da4ace1fa26c24d9d)
- deps: Bump ms version to add support for negative numbers (#438) (25e0e624545eaef76f3c324a134bf103bc394724)
- docs: Minor typo (#424) (dddcb73ac05de11b81feeb629f6cf78dd03d2047)
- bug fix: Not Before (nbf) calculated based on iat/timestamp (#437) (2764a64908d97c043d62eba0bf6c600674f9a6d6), closes #435
v8.1.0
- #402: Don't fail if captureStackTrace is not a function (#410) (77ee965d9081faaf21650f266399f203f69533c5)
- #403: Clarify error wording for "Expected object" error. (#409) (bb27eb346f0ff675a320b2de16b391a7cfeadc58)
- Enhance audience check to verify against regular expressions (#398) (81501a17da230af7b74a3f7535ab5cd3a19c8315)
v8.0.1
- Remove
lodash.isarraydependency (#394) (7508e8957cb1c778f72fa9a363a7b135b3c9c36d)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: amp-concert/package-lock.json