Create a new release containing jose 2.0.6

[hatzz]

Currently jose@2.0.6 is in the master branch in this repository but a new release has not yet come out. I am getting npm audit issues from jwks-rsa@2.1.4 which still depends on jose@2.0.5.

When will a new release come?

[adamjmcgrath]

Hi @Hatzz - We'll do a release shortly.

The jose version specified in the package for the current release is ^2.0.5 - which means you can install the latest 2.x jose release (eg 2.0.6) along with this package. So you should not be blocked by a release, updating your package-lock (by running npm audit --fix) will resolve your issue.

[hatzz]

Alright i will do that in the mean time. Thanks!

[mboaventura]

Hi @adamjmcgrath, Is create a new release with >=3.11.4 which solve those vulns CVE-2021-29444, CVE-2021-29445, CVE-2021-29446 and CVE-2022-36083 Thanks in advance.

[adamjmcgrath]

Hi @mboaventura - see https://github.com/auth0/node-jwks-rsa/issues/316#issuecomment-1157704084 those CVE's are for other variants of jose. The variant of jose we use has been patched for the vulnerability you're specifying