Upgrade dependancy on jsonwebtoken from 8.2.0 to >=9.0.0

docusign / docusign-esign-node-client

The Official DocuSign Node.js Client Library used to interact with the eSign REST API. Send, sign, and approve documents using this client.

http://docusign.github.io/docusign-esign-node-client

MIT License

146 stars 100 forks source link

Upgrade dependancy on jsonwebtoken from 8.2.0 to >=9.0.0 #314

Closed lara-sweeney closed 1 year ago

lara-sweeney commented 1 year ago

Hi,

Is it possible to upgrade the dependancy on jsonwebtoken from 8.2.0 to >=9.0.0 as the older version may have a security vulnerability?

"created": "2022-12-22T03:31:28.000Z",

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).\n\n# Am I affected?\n\nYou are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control. \n\n# How do I fix it?\n\nUpdate to version 9.0.0\n\n# Will the fix impact my users?\n\nThe fix has no impact on end users.\n\n# Credits\n\nPalo Alto Networks", "url": "https://github.com/advisories/GHSA-27h2-hvpr-p74q"

kamran-DS commented 1 year ago

HI Lara,

Please open a ticket with our support team and we will have this addressed as soon as possible.

lara-sweeney commented 1 year ago

HI Lara,

Please open a ticket with our support team and we will have this addressed as soon as possible.

Hi Kamran-DS, thanks, how do i open a ticket with your support team?

Thanks,

Lara

lucasdluengo commented 1 year ago

I also would love to see the dependencies updated.

jglassenberg commented 1 year ago

Hi everyone, I'm on the Product team at Docusign for our developer experience. I submitted a ticket for our engineers to investigate, and will keep you appraised on the status over the coming weeks. This may take more time than usual due to the holidays but I'll post updates here.

Plamen5kov commented 1 year ago

Hey @jglassenberg I'm also here to request the update to 9.0.0 as @lara-sweeney did. No pressure, just one more person who needs this update to sleep well at night :D

lara-sweeney commented 1 year ago

hi @jglassenberg thanks again for your response , hope you and your team enjoyed the holidays! Would it be possible to have an update or timeframe on the upgrade when you have time?

jglassenberg commented 1 year ago

Apologies for the delay. Usually I follow up at least every two weeks for open bugs.

This issue is still a work in progress. I don't yet have an ETA, but it is under investigation by an engineer. I don't anticipate that this will be resolved and released in January, unfortunately, but am looking to have this resolved in February.

kcastex commented 1 year ago

Hi @lara-sweeney our team just pushed a new version of the SDK yesterday (6.0.0) including this Issue being fixed. Worth to mention that along with this release, we are Deprecating Node versions <12 support as it is a hard requirement from jsonwebtoken.

Cheers