twilio-node
twilio-node copied to clipboard
twilio
Downstream dependency has vulnerability
Issue Summary
A summary of the issue and the environment in which it occurs. If suitable, include the steps required to reproduce the bug. Please feel free to include screenshots, screencasts, or code examples.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ semver vulnerable to Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ semver │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ twilio │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ twilio > jsonwebtoken > semver │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1092310 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Steps to Reproduce
- This is the first step
- This is the second step
- Further steps, etc.
Code Snippet
# paste code here
Exception/Log
# paste exception/log here
Technical details:
- twilio-node version:
- node version:
Hi @jdforsythe, Thank you for the heads up! Our team has reviewed the twilio-node repository and dont see semVer dependency added here. Can you please share more details on where is it used?
Thanks, Athira
@AsabuHere You have a dependency on jsonwebtoken which, in turn, has a dependency on semver. The version they depend on is vulnerable.
Issue: https://github.com/auth0/node-jsonwebtoken/issues/905
PR for jsonwebtoken: https://github.com/auth0/node-jsonwebtoken/pull/919
Once a new version of jsonwebtoken is released with the dependency updated, you'll just need to update your dependency to a new version of jsonwebtoken.
