As noted in issue #123, http-signature has a critical severity vulnerability brought in by a transitive dependency through jsprim on json-schema v0.2.3.
node-jsprim has a pull request which fixes the vulnerability.
This dependency upgrade to jsprim ^2.0.1 assumes the vulnerability fix will be released in jsprim version 2.0.n. Thus, http-signature would be positioned to receive that fix and pass it up the dependency chain whenever the jsprim patch is released.
This would improve the security of our Bot Framework samples and I expect a lot of other products. A typical dependency tree of our sample bots is:
BruceHaley
commented
2 years ago
As noted in issue #123, http-signature has a critical severity vulnerability brought in by a transitive dependency through jsprim on json-schema v0.2.3.
node-jsprim has a pull request which fixes the vulnerability.
This dependency upgrade to jsprim ^2.0.1 assumes the vulnerability fix will be released in jsprim version 2.0.n. Thus, http-signature would be positioned to receive that fix and pass it up the dependency chain whenever the jsprim patch is released.
This would improve the security of our Bot Framework samples and I expect a lot of other products. A typical dependency tree of our sample bots is: