Fails Node audit (HIGH vulnerability)

[chladnefazole]

Describe the bug This package isn't secure, it depends on an old version of mssql which has a bunch of jsonwebtoken issues:

• jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
• jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
• jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
• jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q

To Reproduce

• Run npm install connect-mssql-v2
• Run npm audit
• Error is there

Expected behavior Package should be updated to use mssql ^7.2.0

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows
• Node Version: >=14
• Package Version: 3.1.4

Additional context This is the only working session manager package for Microsoft SQL Server/TSQL and Node, and the vulnerabilities are significant. This could cause a lot of sites using MSSQL to become insecure as a result.

[JLuboff]

Hi @chladnefazole, thanks for bringing this up. npm audit fix solution would be to downgrade mssql to v7 which, I don't agree with. These vulnerabilities still exist in v9 but as one of the maintainers of mssql states, it is likely not an issue as no authentication takes place in the mssql library (see: https://github.com/tediousjs/node-mssql/issues/1451).

[chladnefazole]

@JLuboff Ok, understood. It's not a problem for my project but might be in some corporate setup where they don't allow any high-level vulnerabilities. But I understand that this vulnerability is not relevant to mssql.