Closed Sf298 closed 3 months ago
I have just noticed the issue is mentioned in the vulnerability tracker.
Thanks @Sf298 . Please check the latest npm package: https://www.npmjs.com/package/intuit-oauth/v/4.1.1. closing this issue for now. Feel free to re-open if you see any issues. Thanks again!
jsonwebtoken <=8.5.1 Severity: moderate jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6 No fix available node_modules/jsonwebtoken json-server-auth * Depends on vulnerable versions of jsonwebtoken node_modules/json-server-auth
Im too facing this issue and try the following solution, none is working
I have just installed the package using npm and was notified of 2 moderate severity vulnerabilities.
After running
npm audit report
I get the following output:After installing the latest version of the vulnerable package, I do not get any warnings. Therefore I believe that the dependency version may only need updating.