chore(deps): update dependency jsonwebtoken --> v9
This MR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
jsonwebtoken | ^8.5.1 -> ^9.0.0 |
Release Notes
auth0/node-jsonwebtoken
v9.0.0
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030
]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16) - RSA key size must be 2048 bits or greater. ([
ecdf6cc
]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6) - Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function
- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage
- CVE-2022-23539
Configuration
-
If you want to rebase/retry this MR, check this box.