jambonz / realtimedb-helpers

utility functions for querying jambonz redis database
0 stars 9 forks source link

Bump jsonwebtoken and ibm-cloud-sdk-core #25

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps jsonwebtoken and ibm-cloud-sdk-core. These dependencies needed to be updated together. Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
  • e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
  • 5eaedbf chore(ci): remove github test actions job (#861)
  • cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
  • ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
  • 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
  • 7e6a86b Upload OpsLevel YAML (#849)
  • 74d5719 docs: update references vercel/ms references (#770)
  • d71e383 docs: document "invalid token" error
  • 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
  • a46097e docs: make decode impossible to discover before verify
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


Updates ibm-cloud-sdk-core from 3.2.1 to 3.2.2

Changelog

Sourced from ibm-cloud-sdk-core's changelog.

4.0.3 (2023-01-09)

Bug Fixes

  • VpcInstanceAuthenticator: use correct version string (4a1411a)

4.0.2 (2022-12-30)

Bug Fixes

  • auth: revert to using decode instead verify for jwt (#227) (cf3d641)

4.0.1 (2022-12-29)

Bug Fixes

  • auth: migrate to secure usage of jwt for token authentication (#225) (10e0728)

4.0.0 (2022-12-20)

Bug Fixes

  • axios 1.x in request-wrapper (9ba195b)

Build System

  • deps-dev: update typescript to 4.9.4 (1764e22)

Features

  • update minimum Node.js version to 14 (5021118)

BREAKING CHANGES

  • deps-dev: Minimum typescript version is 4. Upgrade to typescript 4.x.

  • Minimum Node.js version is 14. Upgrade to at least Node.js 14.

  • For assistance migrating to v4 - see the migration guide.

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/jambonz/realtimedb-helpers/network/alerts).