Closed lara-sweeney closed 1 year ago
HI Lara,
Please open a ticket with our support team and we will have this addressed as soon as possible.
HI Lara,
Please open a ticket with our support team and we will have this addressed as soon as possible.
Hi Kamran-DS, thanks, how do i open a ticket with your support team?
Thanks,
Lara
I also would love to see the dependencies updated.
Hi everyone, I'm on the Product team at Docusign for our developer experience. I submitted a ticket for our engineers to investigate, and will keep you appraised on the status over the coming weeks. This may take more time than usual due to the holidays but I'll post updates here.
Hey @jglassenberg I'm also here to request the update to 9.0.0 as @lara-sweeney did. No pressure, just one more person who needs this update to sleep well at night :D
hi @jglassenberg thanks again for your response , hope you and your team enjoyed the holidays! Would it be possible to have an update or timeframe on the upgrade when you have time?
Apologies for the delay. Usually I follow up at least every two weeks for open bugs.
This issue is still a work in progress. I don't yet have an ETA, but it is under investigation by an engineer. I don't anticipate that this will be resolved and released in January, unfortunately, but am looking to have this resolved in February.
Hi @lara-sweeney our team just pushed a new version of the SDK yesterday (6.0.0) including this Issue being fixed. Worth to mention that along with this release, we are Deprecating Node versions <12 support as it is a hard requirement from jsonwebtoken.
Cheers
Hi,
Is it possible to upgrade the dependancy on jsonwebtoken from 8.2.0 to >=9.0.0 as the older version may have a security vulnerability?
For versions
<=8.5.1
ofjsonwebtoken
library, if a malicious actor has the ability to modify the key retrieval parameter (referring to thesecretOrPublicKey
argument from the readme link) of thejwt.verify()
function, they can gain remote code execution (RCE).\n\n# Am I affected?\n\nYou are affected only if you allow untrusted entities to modify the key retrieval parameter of thejwt.verify()
on a host that you control. \n\n# How do I fix it?\n\nUpdate to version 9.0.0\n\n# Will the fix impact my users?\n\nThe fix has no impact on end users.\n\n# Credits\n\nPalo Alto Networks", "url": "https://github.com/advisories/GHSA-27h2-hvpr-p74q"