yuhui commented 1 year ago

Expected Behaviour

When installing, npm should not report any high severity vulnerabilities.

Actual Behaviour

When installing, npm reports a high severity vulnerability:

Steps to Reproduce

Environment: node v19.3.0, npm v9.2.0

Run npm i @adobe/reactor-uploader.

Platform and Version

All

Logs taken while reproducing problem

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
No fix available
node_modules/jsonwebtoken
  @adobe/jwt-auth  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@adobe/jwt-auth
    @adobe/reactor-uploader  >=2.0.0
    Depends on vulnerable versions of @adobe/jwt-auth
    node_modules/@adobe/reactor-uploader

4 high severity vulnerabilities

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

yuhui commented 1 year ago

This vulnerability is caused by https://github.com/adobe/jwt-auth/issues/60

brenthosie commented 1 year ago

@adobe export issue to Jira project PDCL as Story

github-jira-sync-bot commented 1 year ago

:white_check_mark: Jira issue PDCL-10140 is successfully created for this GitHub issue.