okta-oidc-js icon indicating copy to clipboard operation
okta-oidc-js copied to clipboard

Published 20 hours ago verified publisher icon okta

NPM vulnerabilities error message

Open kkrishnakv opened this issue 6 years ago • 4 comments

I'm getting below error message while installing the package manager.

Low Out-of-bounds Read

Package njwt

Patched in No patch available

Dependency of @okta/jwt-verifier

Path @okta/jwt-verifier > njwt

More info https://nodesecurity.io/advisories/679

kkrishnakv avatar Feb 03 '19 06:02 kkrishnakv

Thanks for the update - there's a pending upstream PR last I checked that we were waiting on, but I'll take another peek to see where that stands.

swiftone avatar Feb 04 '19 23:02 swiftone

Any updates?

mationai avatar Mar 01 '19 01:03 mationai

@fuzzthink Actually, yes - We just got the patch into the upstream package (njwt has a 0.4.1 release) and this package is getting that and several other upstream updates as soon as we can resolve all the conflicts. Until then, note that recent Node versions do not have the buffer data uninitialized.

swiftone avatar Mar 01 '19 01:03 swiftone

A vulnerability in njwt is also being reported by retirejs now. See https://hackerone.com/reports/321704. There is no fixed version of njwt though.

zeelux avatar Nov 05 '21 12:11 zeelux