This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsonwebtoken	`^8.2.1` -> `^9.0.0`

GitHub Vulnerability Alerts

CVE-2022-23540

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function:

a token with no signature is received
no algorithms are specified
a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

### [`v9.0.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#900---2022-12-21) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.5.1...v9.0.0) **Breaking changes: See [Migration from v8 to v9](https://togithub.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9)** ##### Breaking changes - Removed support for Node versions 11 and below. - The verify() function no longer accepts unsigned tokens by default. (\[[`8345030`](https://togithub.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16) - RSA key size must be 2048 bits or greater. (\[[`ecdf6cc`](https://togithub.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6) - Key types must be valid for the signing / verification algorithm ##### Security fixes - security: fixes `Arbitrary File Write via verify function` - CVE-2022-23529 - security: fixes `Insecure default algorithm in jwt.verify() could lead to signature validation bypass` - CVE-2022-23540 - security: fixes `Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC` - CVE-2022-23541 - security: fixes `Unrestricted key type could lead to legacy keys usage` - CVE-2022-23539 ### [`v8.5.1`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#851---2019-03-18) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.5.0...v8.5.1) ##### Bug fix - fix: ensure correct PS signing and verification ([#585](https://togithub.com/auth0/node-jsonwebtoken/issues/585)) ([e5874ae428ffc0465e6bd4e660f89f78b56a74a6](https://togithub.com/auth0/node-jsonwebtoken/commit/e5874ae428ffc0465e6bd4e660f89f78b56a74a6)), closes [#585](https://togithub.com/auth0/node-jsonwebtoken/issues/585) ##### Docs - README: fix markdown for algorithms table ([84e03ef70f9c44a3aef95a1dc122c8238854f683](https://togithub.com/auth0/node-jsonwebtoken/commit/84e03ef70f9c44a3aef95a1dc122c8238854f683)) ### [`v8.5.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#850---2019-02-20) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.4.0...v8.5.0) ##### New Functionality - feat: add PS JWA support for applicable node versions ([#573](https://togithub.com/auth0/node-jsonwebtoken/issues/573)) ([eefb9d9c6eec54718fa6e41306bda84788df7bec](https://togithub.com/auth0/node-jsonwebtoken/commit/eefb9d9c6eec54718fa6e41306bda84788df7bec)), closes [#573](https://togithub.com/auth0/node-jsonwebtoken/issues/573) - Add complete option in jwt.verify ([#522](https://togithub.com/auth0/node-jsonwebtoken/issues/522)) ([8737789dd330cf9e7870f4df97fd52479adbac22](https://togithub.com/auth0/node-jsonwebtoken/commit/8737789dd330cf9e7870f4df97fd52479adbac22)), closes [#522](https://togithub.com/auth0/node-jsonwebtoken/issues/522) ##### Test Improvements - Add tests for private claims in the payload ([#555](https://togithub.com/auth0/node-jsonwebtoken/issues/555)) ([5147852896755dc1291825e2e40556f964411fb2](https://togithub.com/auth0/node-jsonwebtoken/commit/5147852896755dc1291825e2e40556f964411fb2)), closes [#555](https://togithub.com/auth0/node-jsonwebtoken/issues/555) - Force use_strict during testing ([#577](https://togithub.com/auth0/node-jsonwebtoken/issues/577)) ([7b60c127ceade36c33ff33be066e435802001c94](https://togithub.com/auth0/node-jsonwebtoken/commit/7b60c127ceade36c33ff33be066e435802001c94)), closes [#577](https://togithub.com/auth0/node-jsonwebtoken/issues/577) - Refactor tests related to jti and jwtid ([#544](https://togithub.com/auth0/node-jsonwebtoken/issues/544)) ([7eebbc75ab89e01af5dacf2aae90fe05a13a1454](https://togithub.com/auth0/node-jsonwebtoken/commit/7eebbc75ab89e01af5dacf2aae90fe05a13a1454)), closes [#544](https://togithub.com/auth0/node-jsonwebtoken/issues/544) - ci: remove nsp from tests ([#569](https://togithub.com/auth0/node-jsonwebtoken/issues/569)) ([da8f55c3c7b4dd0bfc07a2df228500fdd050242a](https://togithub.com/auth0/node-jsonwebtoken/commit/da8f55c3c7b4dd0bfc07a2df228500fdd050242a)), closes [#569](https://togithub.com/auth0/node-jsonwebtoken/issues/569) ##### Docs - Fix 'cert' token which isn't a cert ([#554](https://togithub.com/auth0/node-jsonwebtoken/issues/554)) ([0c24fe68cd2866cea6322016bf993cd897fefc98](https://togithub.com/auth0/node-jsonwebtoken/commit/0c24fe68cd2866cea6322016bf993cd897fefc98)), closes [#554](https://togithub.com/auth0/node-jsonwebtoken/issues/554) ### [`v8.4.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#840---2018-11-14) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.3.0...v8.4.0) ##### New Functionality - Add verify option for nonce validation ([#540](https://togithub.com/auth0/node-jsonwebtoken/issues/540)) ([e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0](https://togithub.com/auth0/node-jsonwebtoken/commit/e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0)), closes [#540](https://togithub.com/auth0/node-jsonwebtoken/issues/540) ##### Bug Fixes - Updating Node version in Engines spec in package.json ([#528](https://togithub.com/auth0/node-jsonwebtoken/issues/528)) ([cfd1079305170a897dee6a5f55039783e6ee2711](https://togithub.com/auth0/node-jsonwebtoken/commit/cfd1079305170a897dee6a5f55039783e6ee2711)), closes [#528](https://togithub.com/auth0/node-jsonwebtoken/issues/528) [#509](https://togithub.com/auth0/node-jsonwebtoken/issues/509) - Fixed error message when empty string passed as expiresIn or notBefore option ([#531](https://togithub.com/auth0/node-jsonwebtoken/issues/531)) ([7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76](https://togithub.com/auth0/node-jsonwebtoken/commit/7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76)), closes [#531](https://togithub.com/auth0/node-jsonwebtoken/issues/531) ##### Docs - Update README.md ([#527](https://togithub.com/auth0/node-jsonwebtoken/issues/527)) ([b76f2a80f5229ee5cde321dd2ff14aa5df16d283](https://togithub.com/auth0/node-jsonwebtoken/commit/b76f2a80f5229ee5cde321dd2ff14aa5df16d283)), closes [#527](https://togithub.com/auth0/node-jsonwebtoken/issues/527) - Update README.md ([#538](https://togithub.com/auth0/node-jsonwebtoken/issues/538)) ([1956c4006472fd285b8a85074257cbdbe9131cbf](https://togithub.com/auth0/node-jsonwebtoken/commit/1956c4006472fd285b8a85074257cbdbe9131cbf)), closes [#538](https://togithub.com/auth0/node-jsonwebtoken/issues/538) - Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. ([#548](https://togithub.com/auth0/node-jsonwebtoken/issues/548)) ([dc89a641293d42f72ecfc623ce2eabc33954cb9d](https://togithub.com/auth0/node-jsonwebtoken/commit/dc89a641293d42f72ecfc623ce2eabc33954cb9d)), closes [#548](https://togithub.com/auth0/node-jsonwebtoken/issues/548) - Document NotBeforeError ([#529](https://togithub.com/auth0/node-jsonwebtoken/issues/529)) ([29cd654b956529e939ae8f8c30b9da7063aad501](https://togithub.com/auth0/node-jsonwebtoken/commit/29cd654b956529e939ae8f8c30b9da7063aad501)), closes [#529](https://togithub.com/auth0/node-jsonwebtoken/issues/529) ##### Test Improvements - Use lolex for faking date in tests ([#491](https://togithub.com/auth0/node-jsonwebtoken/issues/491)) ([677ead6d64482f2067b11437dda07309abe73cfa](https://togithub.com/auth0/node-jsonwebtoken/commit/677ead6d64482f2067b11437dda07309abe73cfa)), closes [#491](https://togithub.com/auth0/node-jsonwebtoken/issues/491) - Update dependencies used for running tests ([#518](https://togithub.com/auth0/node-jsonwebtoken/issues/518)) ([5498bdc4865ffb2ba2fd44d889fad7e83873bb33](https://togithub.com/auth0/node-jsonwebtoken/commit/5498bdc4865ffb2ba2fd44d889fad7e83873bb33)), closes [#518](https://togithub.com/auth0/node-jsonwebtoken/issues/518) - Minor test refactoring for recently added tests ([#504](https://togithub.com/auth0/node-jsonwebtoken/issues/504)) ([e2860a9d2a412627d79741a95bc7159971b923b9](https://togithub.com/auth0/node-jsonwebtoken/commit/e2860a9d2a412627d79741a95bc7159971b923b9)), closes [#504](https://togithub.com/auth0/node-jsonwebtoken/issues/504) - Create and implement async/sync test helpers ([#523](https://togithub.com/auth0/node-jsonwebtoken/issues/523)) ([683d8a9b31ad6327948f84268bd2c8e4350779d1](https://togithub.com/auth0/node-jsonwebtoken/commit/683d8a9b31ad6327948f84268bd2c8e4350779d1)), closes [#523](https://togithub.com/auth0/node-jsonwebtoken/issues/523) - Refactor tests related to audience and aud ([#503](https://togithub.com/auth0/node-jsonwebtoken/issues/503)) ([53d405e0223cce7c83cb51ecf290ca6bec1e9679](https://togithub.com/auth0/node-jsonwebtoken/commit/53d405e0223cce7c83cb51ecf290ca6bec1e9679)), closes [#503](https://togithub.com/auth0/node-jsonwebtoken/issues/503) - Refactor tests related to expiresIn and exp ([#501](https://togithub.com/auth0/node-jsonwebtoken/issues/501)) ([72f0d9e5b11a99082250665d1200c58182903fa6](https://togithub.com/auth0/node-jsonwebtoken/commit/72f0d9e5b11a99082250665d1200c58182903fa6)), closes [#501](https://togithub.com/auth0/node-jsonwebtoken/issues/501) - Refactor tests related to iat and maxAge ([#507](https://togithub.com/auth0/node-jsonwebtoken/issues/507)) ([877bd57ab2aca9b7d230805b21f921baed3da169](https://togithub.com/auth0/node-jsonwebtoken/commit/877bd57ab2aca9b7d230805b21f921baed3da169)), closes [#507](https://togithub.com/auth0/node-jsonwebtoken/issues/507) - Refactor tests related to iss and issuer ([#543](https://togithub.com/auth0/node-jsonwebtoken/issues/543)) ([0906a3fa80f52f959ac1b6343d3024ce5c7e9dea](https://togithub.com/auth0/node-jsonwebtoken/commit/0906a3fa80f52f959ac1b6343d3024ce5c7e9dea)), closes [#543](https://togithub.com/auth0/node-jsonwebtoken/issues/543) - Refactor tests related to kid and keyid ([#545](https://togithub.com/auth0/node-jsonwebtoken/issues/545)) ([88645427a0adb420bd3e149199a2a6bf1e17277e](https://togithub.com/auth0/node-jsonwebtoken/commit/88645427a0adb420bd3e149199a2a6bf1e17277e)), closes [#545](https://togithub.com/auth0/node-jsonwebtoken/issues/545) - Refactor tests related to notBefore and nbf ([#497](https://togithub.com/auth0/node-jsonwebtoken/issues/497)) ([39adf87a6faef3df984140f88e6724ddd709fd89](https://togithub.com/auth0/node-jsonwebtoken/commit/39adf87a6faef3df984140f88e6724ddd709fd89)), closes [#497](https://togithub.com/auth0/node-jsonwebtoken/issues/497) - Refactor tests related to subject and sub ([#505](https://togithub.com/auth0/node-jsonwebtoken/issues/505)) ([5a7fa23c0b4ac6c25304dab8767ef840b43a0eca](https://togithub.com/auth0/node-jsonwebtoken/commit/5a7fa23c0b4ac6c25304dab8767ef840b43a0eca)), closes [#505](https://togithub.com/auth0/node-jsonwebtoken/issues/505) - Implement async/sync tests for exp claim ([#536](https://togithub.com/auth0/node-jsonwebtoken/issues/536)) ([9ae3f207ac64b7450ea0a3434418f5ca58d8125e](https://togithub.com/auth0/node-jsonwebtoken/commit/9ae3f207ac64b7450ea0a3434418f5ca58d8125e)), closes [#536](https://togithub.com/auth0/node-jsonwebtoken/issues/536) - Implement async/sync tests for nbf claim ([#537](https://togithub.com/auth0/node-jsonwebtoken/issues/537)) ([88bc965061ed65299a395f42a100fb8f8c3c683e](https://togithub.com/auth0/node-jsonwebtoken/commit/88bc965061ed65299a395f42a100fb8f8c3c683e)), closes [#537](https://togithub.com/auth0/node-jsonwebtoken/issues/537) - Implement async/sync tests for sub claim ([#534](https://togithub.com/auth0/node-jsonwebtoken/issues/534)) ([342b07bb105a35739eb91265ba5b9dd33c300fc6](https://togithub.com/auth0/node-jsonwebtoken/commit/342b07bb105a35739eb91265ba5b9dd33c300fc6)), closes [#534](https://togithub.com/auth0/node-jsonwebtoken/issues/534) - Implement async/sync tests for the aud claim ([#535](https://togithub.com/auth0/node-jsonwebtoken/issues/535)) ([1c8ff5a68e6da73af2809c9d87faaf78602c99bb](https://togithub.com/auth0/node-jsonwebtoken/commit/1c8ff5a68e6da73af2809c9d87faaf78602c99bb)), closes [#535](https://togithub.com/auth0/node-jsonwebtoken/issues/535) ##### CI - Added Istanbul to check test-coverage ([#468](https://togithub.com/auth0/node-jsonwebtoken/issues/468)) ([9676a8306428a045e34c3987bd0680fb952b44e3](https://togithub.com/auth0/node-jsonwebtoken/commit/9676a8306428a045e34c3987bd0680fb952b44e3)), closes [#468](https://togithub.com/auth0/node-jsonwebtoken/issues/468) - Complete ESLint conversion and cleanup ([#490](https://togithub.com/auth0/node-jsonwebtoken/issues/490)) ([cb1d2e1e40547f7ecf29fa6635041df6cbba7f40](https://togithub.com/auth0/node-jsonwebtoken/commit/cb1d2e1e40547f7ecf29fa6635041df6cbba7f40)), closes [#490](https://togithub.com/auth0/node-jsonwebtoken/issues/490) - Make code-coverage mandatory when running tests ([#495](https://togithub.com/auth0/node-jsonwebtoken/issues/495)) ([fb0084a78535bfea8d0087c0870e7e3614a2cbe5](https://togithub.com/auth0/node-jsonwebtoken/commit/fb0084a78535bfea8d0087c0870e7e3614a2cbe5)), closes [#495](https://togithub.com/auth0/node-jsonwebtoken/issues/495) ### [`v8.3.0`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#830---2018-06-11) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.2.2...v8.3.0) - docs: add some clarifications ([#473](https://togithub.com/auth0/node-jsonwebtoken/issues/473)) ([cd33cc81f06068b9df6c224d300dc6f70d8904ab](https://togithub.com/auth0/node-jsonwebtoken/commit/cd33cc81f06068b9df6c224d300dc6f70d8904ab)), closes [#473](https://togithub.com/auth0/node-jsonwebtoken/issues/473) - ci: fix ci execution, remove not needed script ([#472](https://togithub.com/auth0/node-jsonwebtoken/issues/472)) ([c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5](https://togithub.com/auth0/node-jsonwebtoken/commit/c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5)), closes [#472](https://togithub.com/auth0/node-jsonwebtoken/issues/472) - new feature: Secret callback revisited ([#480](https://togithub.com/auth0/node-jsonwebtoken/issues/480)) ([d01cc7bcbdeb606d997a580f967b3169fcc622ba](https://togithub.com/auth0/node-jsonwebtoken/commit/d01cc7bcbdeb606d997a580f967b3169fcc622ba)), closes [#480](https://togithub.com/auth0/node-jsonwebtoken/issues/480) - docs:Update README.md ([#461](https://togithub.com/auth0/node-jsonwebtoken/issues/461)) ([f0e0954505f274da95a8d9603598e455b4d2c894](https://togithub.com/auth0/node-jsonwebtoken/commit/f0e0954505f274da95a8d9603598e455b4d2c894)), closes [#461](https://togithub.com/auth0/node-jsonwebtoken/issues/461) ### [`v8.2.2`](https://togithub.com/auth0/node-jsonwebtoken/blob/HEAD/CHANGELOG.md#822---2018-05-30) [Compare Source](https://togithub.com/auth0/node-jsonwebtoken/compare/v8.2.1...v8.2.2) - security: deps: jws@3.1.5 ([#477](https://togithub.com/auth0/node-jsonwebtoken/issues/477)) ([ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51](https://togithub.com/auth0/node-jsonwebtoken/commit/ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51)), closes [#465](https://togithub.com/auth0/node-jsonwebtoken/issues/465) - docs: add some clarifications ([#473](https://togithub.com/auth0/node-jsonwebtoken/issues/473)) ([cd33cc81f06068b9df6c224d300dc6f70d8904ab](https://togithub.com/auth0/node-jsonwebtoken/commit/cd33cc81f06068b9df6c224d300dc6f70d8904ab)), closes [#473](https://togithub.com/auth0/node-jsonwebtoken/issues/473) - ci: fix ci execution, remove not needed script ([#472](https://togithub.com/auth0/node-jsonwebtoken/issues/472)) ([c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5](https://togithub.com/auth0/node-jsonwebtoken/commit/c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5)), closes [#472](https://togithub.com/auth0/node-jsonwebtoken/issues/472) - docs: Update README.md ([#461](https://togithub.com/auth0/node-jsonwebtoken/issues/461)) ([f0e0954505f274da95a8d9603598e455b4d2c894](https://togithub.com/auth0/node-jsonwebtoken/commit/f0e0954505f274da95a8d9603598e455b4d2c894)), closes [#461](https://togithub.com/auth0/node-jsonwebtoken/issues/461)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

koopjs / koop-auth-direct-file

Update dependency jsonwebtoken to v9 [SECURITY] - autoclosed #20