Running npm audit reveals worrying high vulnerabilities.
Expected Behavior
No vulnerability should be returned by npm audit
Current Behavior
Below, a part of the logs I get when running npm audit :
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
This outcome is quite excepted as the version declared in the package.json file is 8.5.1, while this version is known for containing major vulnerabilities fixed on versions >=9.0.0 :
Possible Solution
Upgrade jsonwebtoken package to v9.0.0 or above.
Steps to Reproduce
Run npm audit
Context (Environment)
For the context,
I'm using Kuzzle as a framework for my backend, which depends on kuzzle-plugin-auth-passport-local@latest.
I've detected the issue when verifing my deployment pipelines (they were failing because of the audit stage)
Running
npm audit
reveals worrying high vulnerabilities.Expected Behavior
No vulnerability should be returned by
npm audit
Current Behavior
Below, a part of the logs I get when running
npm audit
:This outcome is quite excepted as the version declared in the
package.json
file is 8.5.1, while this version is known for containing major vulnerabilities fixed on versions >=9.0.0 :Possible Solution
Upgrade
jsonwebtoken
package to v9.0.0 or above.Steps to Reproduce
npm audit
Context (Environment)
For the context,
kuzzle-plugin-auth-passport-local@latest
.