Closed mend-for-github-com[bot] closed 1 year ago
You have successfully added a new CodeQL configuration .github/workflows/codeql-analysis.yml:analyze/language:javascript
. As part of the setup process, we have scanned this repository and found 162 existing alerts. Please check the repository Security tab to see all alerts.
This PR contains the following updates:
0.4.0
->4.2.0
By merging this PR, the issue #194 will be automatically resolved and closed:
Release Notes
auth0/node-jsonwebtoken
### [`v4.2.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#420---2015-03-16) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.1.0...v4.2.0) ##### Security - \[asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key. When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS\* family). The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`). This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`) https://github.com/auth0/node-jsonwebtoken/commit/c2bf7b2cd7e8daf66298c2d168a008690bc4bdd3 https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 ### [`v4.1.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#410---2015-03-10) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v4.0.0...v4.1.0) ##### Changed - Assume the payload is JSON even when there is no `typ` property. [5290db1](https://togithub.com/auth0/node-jsonwebtoken/commit/5290db1bd74f74cd38c90b19e2355ef223a4d931) ### [`v4.0.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#400---2015-03-06) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.2...v4.0.0) ##### Changed - The default encoding is now utf8 instead of binary. [92d33bd](https://togithub.com/auth0/node-jsonwebtoken/commit/92d33bd99a3416e9e5a8897d9ad8ff7d70a00bfd) - Add `encoding` as a new option to `sign`. [1fc385e](https://togithub.com/auth0/node-jsonwebtoken/commit/1fc385ee10bd0018cd1441552dce6c2e5a16375f) - Add `ignoreExpiration` to `verify`. [8d4da27](https://togithub.com/auth0/node-jsonwebtoken/commit/8d4da279e1b351ac71ace276285c9255186d549f) - Add `expiresInSeconds` to `sign`. [dd156cc](https://togithub.com/auth0/node-jsonwebtoken/commit/dd156cc30f17028744e60aec0502897e34609329) ##### Fixed - Fix wrong error message when the audience doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327) - Fix wrong error message when the issuer doesn't match. [44e3c8d](https://togithub.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327) - Fix wrong `iat` and `exp` values when signing with `noTimestamp`. [331b7bc](https://togithub.com/auth0/node-jsonwebtoken/commit/331b7bc9cc335561f8806f2c4558e105cb53e0a6) ### [`v3.2.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.1...v3.2.2) ### [`v3.2.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.2.0...v3.2.1) ### [`v3.2.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.1...v3.2.0) ### [`v3.1.1`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.1.0...v3.1.1) ### [`v3.1.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v3.0.0...v3.1.0) ### [`v3.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v2.0.0...v3.0.0) ### [`v2.0.0`](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/eea72087db2fd73bdc17195223ed532b25ba3e3d...v2.0.0) ### [`v1.1.2`](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v1.1.1...v1.1.2)