jsonwebtoken@9.0.0 > semver@7.3.8 vulnerability

mikenicholson / passport-jwt

Passport authentication using JSON Web Tokens

MIT License

1.96k stars 213 forks source link

jsonwebtoken@9.0.0 > semver@7.3.8 vulnerability #251

Open KsenyaJSN opened 9 months ago

KsenyaJSN commented 9 months ago

Vulnerable Dependency Information:

Package Name: jsonwebtoken Vulnerable Version: 9.0.0 Dependency with ReDoS Vulnerability: semver@7.3.8 Vulnerability Severity: High

https://security.snyk.io/package/npm/semver

Fixed in jsonwebtoken v.9.0.2 (https://github.com/auth0/node-jsonwebtoken/issues/921)

Ks89 commented 9 months ago

Hi @mikenicholson This is an important vulnerability. This library should be updated quickly. I should be very easy to upgrade since v9.0.2 is a patch version and you are already using 9.0.0 on master.

Thanks