Closed andygout closed 5 years ago
Thanks @andygout! @omsmith can we get a released version with this change? We are also hitting issues in snyk due to the jwa dependency.
@omsmith @brianloveswords we are failing nsp check
in one of our projects because of https://nodesecurity.io/advisories/658.
When will this change be released?
Can we have this merged? Node security is bugging us for Out-of-bounds Read
in base64url
.
Upgrades the
jwa
dependency from^1.1.5
to^1.1.6
so that projects not downloading packages on a semver basis (i.e. using apackage-lock.json
) are able to benefit from the changes introduced in v1.1.6 of that package, namely:base64url
.ecdsa-sig-formatter
from v1.0.9 to v1.0.10, the latter of which dispenses with its dependency ofbase64url
.Vulnerabilities have been reported (by Whitesource and Synk) in
base64url
< v3.0.0 and so we would like those versions to be excluded from our dependency tree.