kendo-react
kendo-react copied to clipboard
telerik
@progress/kendo-licensing semver security vulnerability
- Bug report
Current behavior
Latest version of @progress/kendo-licensing (1.3.0) has a dependency on [email protected], which exposes a security vulnerability. This is fixed in [email protected].
Expected behavior
@progress/kendo-licensing has up-to-date, secure dependencies.
Minimal reproduction of the problem with instructions
This vulnerability was reported by snyk.io. To reproduce:
- Install
@progress/kendo-licensingin your project - Configure Snyk
- See
semverReDoS vulnerability
What is the motivation or use case for changing the behavior?
Securing applications that depend on @progress/kendo-licensing
Environment
Package versions:
1.3.0
Browser: N/A
System: N/A
Snyk report:
This looks like a false positive, but might be due to a stale package-lock.json file. Try updating the dependencies in your project using npm update.
In more detail, @progress/kendo-licensing depends on jsonwebtoken 9.0.0 which loosely specifies "semver": "^7.3.8". NPM should pick up the latest version during an update.
@tsvetomir I regularly upgrade dependencies, but because of the indirect relationship to semver I don't have control over its version. Yarn only lists dependency versions one layer deep--here's how my yarn.lock looks:
"@progress/kendo-licensing@^1.3.0":
version "1.3.0"
resolved "https://registry.yarnpkg.com/@progress/kendo-licensing/-/kendo-licensing-1.3.0.tgz#92cb1033c56e5b86ef0c5d81ea83e887b4557614"
integrity sha512-Bp5MUX6wVHVUW8ZJUNcFVw9/KwRvP/a9zg2gAwRhpHVlwrSPbIpCMoBRRk32CEzC1tpUsIuQywT95+97HXZDTg==
dependencies:
jsonwebtoken "^9.0.0"
Is it possible to resolve this without action from jsonwebtoken?
It should be possible to override indirect dependency versions through the resolutions section:
"resolutions": {
"semver": "^7.5.2"
}
Also reported in https://github.com/auth0/node-jsonwebtoken/issues/921 and https://github.com/auth0/node-jsonwebtoken/issues/905