jsonwebtoken Version has high vulnerabilities in docusign-click

docusign / docusign-esign-node-client

The Official DocuSign Node.js Client Library used to interact with the eSign REST API. Send, sign, and approve documents using this client.

http://docusign.github.io/docusign-esign-node-client

MIT License

146 stars 100 forks source link

jsonwebtoken Version has high vulnerabilities in docusign-click #317

Closed arealesramirez closed 1 year ago

arealesramirez commented 1 year ago

Hi Docusign,

I currently have docusign-click version 1.0.0. Currently, I'm getting vulnerabilities after running an audit (yarn audit) on the packages installed on my project. Screen Shot 2023-01-09 at 11 18 43 AM

The solution is to upgrade jsonwebtoken to version 9.0.0.

My temporary solution is to manually update the docusign-click dependency versions directly in the yarn.lock file and then run yarn to reinstall packages. Screen Shot 2023-01-09 at 11 21 17 AM

Ideally, docusign-click should update jsonwebtoken and release a new version.

Thanks in advance!

kamran-DS commented 1 year ago

Thanks for your note. We have opened up an Engineering fix for this.

For your reference it is DCM-8728.

arealesramirez commented 1 year ago

@kamran-DS Is there a good place where I can keep track of the progress made on DCM-8728?

On the other hand, I appreciate the quick response and action toward getting this issue resolved.

acooper4960 commented 1 year ago

Hi folks, this patch is being applied to our public node SDKs this week. It is a breaking change and will require you to upgrade to the next major version. For esign this will be version 6.0.0

acooper4960 commented 1 year ago

https://github.com/docusign/docusign-esign-node-client/releases/tag/v6.0.0