search

auth0 / node-jwa

JSON Web Algorithms
http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-08.html
MIT License
98 stars 42 forks source link

Insecure dependency base64url < 3.0.0 #29

Closed alex-thewsey-ibm closed 6 years ago

alex-thewsey-ibm commented 6 years ago

Dependency base64url^2.0.0 is not secure per NSP advisory 658

Please consider updating! Thanks

omsmith commented 6 years ago

It's a dev dependency and shouldn't cause any warnings on npm install or the like unless you're cloning the repo and installing them to do development. If I'm mistaken on that, please let me know!

Ref: https://github.com/brianloveswords/node-jwa/pull/27

alex-thewsey-ibm commented 6 years ago

Interesting point thanks @omsmith! It's flagging as an NSP error in one of our toolchains (which installs DevDependencies in order to perform a build step) - but I'll investigate whether it's possible/sensible to update our NSP check config to ignore.

alex-thewsey-ibm commented 6 years ago

👍 Our project pipeline is all sorted out now, ignoring the devDependencies in security checks. If I can get time I'll try looking at fixing the tests from that PR, but the module is pretty new to me so no guarantees! Thanks for your help & sorry for the PR-duplicating issue

omsmith commented 6 years ago

Thanks @alex-thewsey-ibm, glad you got it sorted.