lgodmer
commented
6 years ago Thanks @andygout! @omsmith can we get a released version with this change? We are also hitting issues in snyk due to the jwa dependency.
Closed andygout closed 5 years ago
lgodmer
commented
6 years ago Thanks @andygout! @omsmith can we get a released version with this change? We are also hitting issues in snyk due to the jwa dependency.
charlenetshos
commented
6 years ago @omsmith @brianloveswords we are failing nsp check in one of our projects because of https://nodesecurity.io/advisories/658.
When will this change be released?
iamariffikri
commented
6 years ago Can we have this merged? Node security is bugging us for Out-of-bounds Read in base64url.
Upgrades the
jwadependency from^1.1.5to^1.1.6so that projects not downloading packages on a semver basis (i.e. using apackage-lock.json) are able to benefit from the changes introduced in v1.1.6 of that package, namely:base64url.ecdsa-sig-formatterfrom v1.0.9 to v1.0.10, the latter of which dispenses with its dependency ofbase64url.Vulnerabilities have been reported (by Whitesource and Synk) in
base64url< v3.0.0 and so we would like those versions to be excluded from our dependency tree.