auth0 / express-jwt

connect/express middleware that validates a JsonWebToken (JWT) and set the req.user with the attributes
MIT License
4.49k stars 444 forks source link

[Snyk] Upgrade jsonwebtoken from 9.0.0 to 9.0.2 #344

Open TSLarson opened 7 months ago

TSLarson commented 7 months ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade jsonwebtoken from 9.0.0 to 9.0.2.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
- The recommended version is **2 versions** ahead of your current version. - The recommended version was released **8 months ago**, on 2023-08-30. The recommended version fixes: Severity | Issue | PriorityScore (*) | Exploit Maturity | :-------------------------:|:-------------------------|-------------------------|:------------------------- | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-SEMVER-3247795](https://snyk.io/vuln/SNYK-JS-SEMVER-3247795) | **482/1000**
**Why?** Proof of Concept exploit, CVSS 7.5 | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: jsonwebtoken
  • 9.0.2 - 2023-08-30

    Release 9.0.2 (#935)

      </li>
      <li>
        <b>9.0.1</b> - <a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/releases/tag/v9.0.1">2023-07-05</a></br><p>Updating package version to 9.0.1 (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="1789927113" data-permission-text="Title is private" data-url="https://github.com/auth0/node-jsonwebtoken/issues/920" data-hovercard-type="pull_request" data-hovercard-url="/auth0/node-jsonwebtoken/pull/920/hovercard" href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/pull/920">#920</a>)</p>
      </li>
      <li>
        <b>9.0.0</b> - <a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/releases/tag/v9.0.0">2022-12-21</a></br><ul>
  • Check if node version supports asymmetricKeyDetails

  • Validate algorithms for ec key type

  • Rename variable

  • Rename function

  • Add early return for symmetric keys

  • Validate algorithm for RSA key type

  • Validate algorithm for RSA-PSS key type

  • Check key types for EdDSA algorithm

  • Rename function

  • Move validateKey function to module

  • Convert arrow to function notation

  • Validate key in verify function

  • Simplify if

  • Convert if to switch..case

  • Guard against empty key in validation

  • Remove empty line

  • Add lib to check modulus length

  • Add modulus length checks

  • Validate mgf1HashAlgorithm and saltLength

  • Check node version before using key details API

  • Use built-in modulus length getter

  • Fix Node version validations

  • Remove duplicate validateKey

  • Add periods to error messages

  • Fix validation in verify function

  • Make asymmetric key validation the latest validation step

  • Change key curve validation

  • Remove support for ES256K

  • Fix old test that was using wrong key types to sign tokens

  • Enable RSA-PSS for old Node versions

  • Add specific RSA-PSS validations on Node 16 LTS+

  • Improve error message

  • Simplify key validation code

  • Fix typo

  • Improve error message

  • Change var to const in test

  • Change const to let to avoid reassigning problem

  • Improve error message

  • Test incorrect private key type

  • Rename invalid to unsupported

  • Test verifying of jwt token with unsupported key

  • Test invalid private key type

  • Change order of object parameters

  • Move validation test to separate file

  • Move all validation tests to separate file

  • Add prime256v1 ec key

  • Remove modulus length check

  • WIP: Add EC key validation tests

  • Fix node version checks

  • Fix error message check on test

  • Add successful tests for EC curve check

  • Remove only from describe

  • Remove only

  • Remove duplicate block of code

  • Move variable to a different scope and make it const

  • Convert allowed curves to object for faster lookup

  • Rename variable

  • Change variable assignment order

  • Remove unused object properties

  • Test RSA-PSS happy path and wrong length

  • Add missing tests

  • Pass validation if no algorithm has been provided

  • Test validation of invalid salt length

  • Test error when signing token with invalid key

  • Change var to const/let in verify tests

  • Test verifying token with invalid key

  • Improve test error messages

  • Add parameter to skip private key validation

  • Replace DSA key with a 4096 bit long key

  • Test allowInvalidPrivateKeys in key signing

  • Improve test message

  • Rename variable

  • Add key validation flag tests

  • Fix variable name in Readme

  • Change private to public dsa key in verify

  • Rename flag

  • Run EC validation tests conditionally

  • Fix tests in old node versions

  • Ignore block of code from test coverage

  • Separate EC validations tests into two different ones

  • Add comment

  • Wrap switch in if instead of having an early return

  • Remove unsupported algorithms from asymmetric key validation

  • Rename option to allowInvalidAsymmetricKeyTypes and improve Readme

  • 9.0.0

  • adding migration notes to readme

  • adding changelog for version 9.0.0

Co-authored-by: julienwoll julien.wollscheid@auth0.com

  </li>
</ul>
from <a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/releases">jsonwebtoken GitHub release notes</a>

Commit messages
Package name: jsonwebtoken
  • bc28861 Release 9.0.2 (#935)
  • 96b8906 refactor: use specific lodash packages (#933)
  • ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932)
  • 84539b2 Updating package version to 9.0.1 (#920)
  • a99fd4b fix(stubs): allow decode method to be stubbed (#876)
Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs