nexmo-node
nexmo-node copied to clipboard
Published
20 hours ago •
Nexmo
Nexmo
Update dependency jsonwebtoken to v9 (master)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| jsonwebtoken | dependencies | major | ^8.4.0 -> ^9.0.0 |
By merging this PR, the below vulnerabilities will be automatically resolved:
| Severity |  CVSS Score |
CVE | Reachability |
|---|---|---|---|
 Medium |
5.9 | CVE-2022-23539 |
Release Notes
auth0/node-jsonwebtoken (jsonwebtoken)
v9.0.0
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16) - RSA key size must be 2048 bits or greater. ([
ecdf6cc]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6) - Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage- CVE-2022-23539
v8.5.1
Bug fix
- fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585
Docs
- README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)
v8.5.0
New Functionality
- feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
- Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522
Test Improvements
- Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
- Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
- Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
- ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569
Docs
- Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554
- [ ] If you want to rebase/retry this PR, check this box
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}