TryGhost / SDK

Tools for working with Ghost's APIs
MIT License
116 stars 76 forks source link

Consider Migrating Dependency `jsonwebtoken` to `jose` #459

Closed sgrobert closed 1 year ago

sgrobert commented 1 year ago

To whom it may concern,

I'm just tracking my current installation packages and realized that the only remainder npm vulnerability relates to the @tryghost/admin-api package, which seemed to be pulled from https://github.com/TryGhost/SDK/tree/main/packages/admin-api .

Based on the package.json, it does look like jsonwebtoken is being used:

...
  "dependencies": {
    "axios": "^0.27.0",
    "form-data": "^4.0.0",
    "jsonwebtoken": "^8.4.0"
  },
...

This has raised a vulnerability reporting via npm audit:


# npm audit report

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
No fix available
node_modules/jsonwebtoken
  @tryghost/admin-api  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@tryghost/admin-api

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Screenshot: Screenshot 2023-02-27 at 1 42 06 PM


Though it is not critical, I would like to suggest migrating from jsonwebtoken to jose, as they basically do the same JWT token handling, so that the vulnerabilities can be trimmed down to zero.

Hope for your team's consideration.

Thank you.

daniellockyer commented 1 year ago

Hey @sgrobert - whilst we could switch, I've just gone for the option of updating the package for now 🙂