Depends on vulnerable versions of elliptic

[IBlasterus]

npm audit report

elliptic >=2.0.0 Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p fix available via npm audit fix --force Will install jwk-to-pem@1.2.0, which is a breaking change node_modules/elliptic jwk-to-pem >=1.2.1 Depends on vulnerable versions of elliptic node_modules/jwk-to-pem

2 low severity vulnerabilities

[rlsf]

can be solved by using node's native crypto library, as explained here: https://stackoverflow.com/a/75074566

const { createPublicKey } = require('crypto')
function jwkToPem(webKey) {
  const pubKey = createPublicKey({
    key: webKey,
    format: 'jwk'
  });

  return pubKey.export({ format: "pem", type: "spki"}).toString();
}

[omsmith]

Good morning and thanks for raising the issue.

As @rlsf points out, this library doesn't serve much need for modern node any longer, especially if your goal is to work with the key within node - you can use the KeyObject returned by createPublicKey instead of a PEM string.

That said, will certainly review the issue today.

[omsmith]

Update: the areas of concerns raised within the elliptic library are around signature validation. jwk-to-pem does not interact with signatures and as such is not impacted by the issues raised.

We will update the package once a new version is available.

Additionally, we will also consider doing a major version bump to use node:crypto before deprecating the package.