newman icon indicating copy to clipboard operation
newman copied to clipboard

Published 20 hours ago verified publisher icon postmanlabs

jose dependency is vulnerable moderate

Open filoucrackeur opened this issue 1 year ago • 4 comments

Hello,

yarn audit show this output jose dependency is vulnerable is it possible to upgrade or replace it ?

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ jose vulnerable to resource exhaustion via specifically │ │ │ crafted JWE with compressed plaintext │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.15.5 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ newman │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ newman > postman-runtime > jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1096835

filoucrackeur avatar Jun 10 '24 07:06 filoucrackeur

https://github.com/advisories/GHSA-hhhv-q57g-882q

thetumper avatar Jul 30 '24 21:07 thetumper

Do we have news here? It's annoying to manually set overrides while using newman cli in our project.

lucas-implanta avatar Sep 02 '24 12:09 lucas-implanta

We can workaround it by using the version 6.2.0 of newman. It uses the [email protected] which uses [email protected] that doesn't have the vulnerability.

maicodio avatar Sep 24 '24 15:09 maicodio

Confirmed 6.2.0 fixes this.

Weird thing is that 6.2.1 does not. Is this a regression in dependencies?

kburns-r7 avatar Oct 10 '24 14:10 kburns-r7

There has been a dependabot PR opened for some time that tries to upgrade postman-runtime to a version that will have a safe jose: https://github.com/postmanlabs/newman/pull/3291

juanitosvq avatar Sep 26 '25 17:09 juanitosvq