When installing, npm should not report any high severity vulnerabilities.
Actual Behaviour
When installing, npm reports a high severity vulnerability:
Steps to Reproduce
Environment: node v19.3.0, npm v9.2.0
Run npm i @adobe/reactor-uploader.
Platform and Version
All
Logs taken while reproducing problem
# npm audit report
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
No fix available
node_modules/jsonwebtoken
@adobe/jwt-auth *
Depends on vulnerable versions of jsonwebtoken
node_modules/@adobe/jwt-auth
@adobe/reactor-uploader >=2.0.0
Depends on vulnerable versions of @adobe/jwt-auth
node_modules/@adobe/reactor-uploader
4 high severity vulnerabilities
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Expected Behaviour
When installing,
npm
should not report any high severity vulnerabilities.Actual Behaviour
When installing,
npm
reports a high severity vulnerability:Steps to Reproduce
Environment: node v19.3.0, npm v9.2.0
npm i @adobe/reactor-uploader
.Platform and Version
All
Logs taken while reproducing problem