I'm just tracking my current installation packages and realized that the only remainder npm vulnerability relates to the @tryghost/admin-api package, which seemed to be pulled from https://github.com/TryGhost/SDK/tree/main/packages/admin-api .
Based on the package.json, it does look like jsonwebtoken is being used:
This has raised a vulnerability reporting via npm audit:
# npm audit report
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
No fix available
node_modules/jsonwebtoken
@tryghost/admin-api *
Depends on vulnerable versions of jsonwebtoken
node_modules/@tryghost/admin-api
2 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Screenshot:
Though it is not critical, I would like to suggest migrating from jsonwebtoken to jose, as they basically do the same JWT token handling, so that the vulnerabilities can be trimmed down to zero.
To whom it may concern,
I'm just tracking my current installation packages and realized that the only remainder
npm vulnerability
relates to the@tryghost/admin-api
package, which seemed to be pulled from https://github.com/TryGhost/SDK/tree/main/packages/admin-api .Based on the
package.json
, it does look likejsonwebtoken
is being used:This has raised a vulnerability reporting via
npm audit
:Screenshot:
Though it is not critical, I would like to suggest migrating from
jsonwebtoken
tojose
, as they basically do the same JWT token handling, so that the vulnerabilities can be trimmed down to zero.Hope for your team's consideration.
Thank you.