io-backend
io-backend copied to clipboard
Published
20 hours ago •
pagopa
pagopa
Bump jsonwebtoken from 8.5.1 to 9.0.0
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| jsonwebtoken | dependencies | major | ^8.5.1 -> ^9.0.0 |
For further information on security, please refer to the Confluence page link
Release Notes
auth0/node-jsonwebtoken (jsonwebtoken)
v9.0.0
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16) - RSA key size must be 2048 bits or greater. ([
ecdf6cc]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6) - Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage- CVE-2022-23539
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot.
![renovate-pagopa[bot] avatar](https://avatars.githubusercontent.com/u/57742367?v=4 "Published by a pub.dev verified publisher"){kind=small}