search

graphile / graphile-engine

Monorepo home of graphile-build, graphile-build-pg, graphile-utils, postgraphile-core and graphql-parse-resolve-info. Build a high-performance easily-extensible GraphQL schema by combining plugins!
https://www.graphile.org/
762 stars 129 forks source link

Project depends on vulnerable version of jsonwebtoken #826

Closed Alx101 closed 1 year ago

Alx101 commented 1 year ago

Summary

graphile-build-pg depends on vulnerable version of jsonwebtoken (>= 8.5.1) with severity high

Steps to reproduce

Running npm audit on a project with postgraphile installed: 

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
No fix available
node_modules/graphile-build-pg/node_modules/jsonwebtoken
node_modules/postgraphile/node_modules/jsonwebtoken
  graphile-build-pg  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/graphile-build-pg
    graphile-utils  >=4.4.1-alpha.0
    Depends on vulnerable versions of graphile-build-pg
    node_modules/graphile-utils
      postgraphile  *
      Depends on vulnerable versions of body-parser
      Depends on vulnerable versions of finalhandler
      Depends on vulnerable versions of graphile-build-pg
      Depends on vulnerable versions of graphile-utils
      Depends on vulnerable versions of jsonwebtoken
      Depends on vulnerable versions of postgraphile-core
      node_modules/postgraphile
    postgraphile-core  *
    Depends on vulnerable versions of graphile-build-pg
    node_modules/postgraphile-core

Possible Solution

Upgrade to latest secure version of jsonwebtoken (v 9.0.0)

benjie commented 1 year ago

Fixed in #823. We've had to drop support for Node versions < v12 because I couldn't find a way to apply the fixes without doing so in a reasonable time. Fortunately those versions of Node have been unsupported for quite a while now: https://github.com/nodejs/Release

benjie commented 1 year ago

This was released in 4.13.0