search

Wizcorp / node-iap

In-app purchase validation for Apple, Google, Amazon, Roku
262 stars 92 forks source link

SECURITY - package upgrades to address security vulnerabilities #63

Closed ndangles closed 5 years ago

ndangles commented 5 years ago

This PR upgrades some third party dependencies of node-iap to address security vulnerabilities.

jwt-simple https://www.npmjs.com/advisories/831

node-iap isn't directly affected because it doesn't use the decode function but still good to upgrade and nice to get rid of the warning from npm audit. jsonwebtoken package is more heavily used and vetted so might be safer to use in the future, I know it is not as light weight as jwt-simple but just something to consider.

es-lint https://npmjs.com/advisories/782 https://npmjs.com/advisories/788 https://npmjs.com/advisories/813

ronkorving commented 5 years ago

I agree with your considerations. Thanks for the PR!