slim-jwt-auth icon indicating copy to clipboard operation
slim-jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon tuupola

how to update dependencies?

Open NeftaliAcosta opened this issue 2 years ago • 3 comments

Can you help me update the dependencies? Gitlab SAST show me an error and I need update to firebase/php-jwt ^6

image

Thank you.

NeftaliAcosta avatar Jan 31 '23 00:01 NeftaliAcosta

Not possibe. firebase/php-jwt:6.x made such changes it is impossible to use it without breaking BC. See discussion at: https://github.com/tuupola/slim-jwt-auth/issues/217

I really do dislike CVE-2021-46743 because vulnerability scanners tag it has critical even though there is no vulnerability. Even the report itself says: "NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself."

tuupola avatar Jan 31 '23 04:01 tuupola

With firebase/php-jwt version 5.5 it is possible to mitigate the issue.

I had to update the interface of my library to allow for the workaround, by introducing a Secret object, which mimics what firebase/php-jwt did in v5.5. Maybe this will help.

I was also forced to bump the major version in order to mitigate the issue by-default, as they did in firebase/php-jwt version 6.

dakujem avatar May 04 '23 17:05 dakujem

@dakujem I had totally missed this. Thanks!

https://github.com/firebase/php-jwt/releases/tag/v5.5.0

tuupola avatar Jun 29 '23 07:06 tuupola