I'm facing a package dependency vulnerability in @nestjs/jwt as it depends on jsonwebtoken < 9.0.0.
npm audit report
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
No fix available
node_modules/jsonwebtoken
@nestjs/jwt *
Depends on vulnerable versions of jsonwebtoken
node_modules/@nestjs/jwt
passport-jwt *
Depends on vulnerable versions of jsonwebtoken
node_modules/passport-jwt
Is there an existing issue for this?
Current behavior
I'm facing a package dependency vulnerability in @nestjs/jwt as it depends on jsonwebtoken < 9.0.0.
Minimum reproduction code
https://stackblitz.com/edit/nestjs-typescript-starter-uvganw?file=package.json
Steps to reproduce
npm audit
Expected behavior
Please upgrade jsonwebtoken dependency version to 9.0.0.
Link to resolution
Package
Other package
@nestjs/jwt
NestJS version
No response
Packages versions
Node.js version
19.3.0
In which operating systems have you tested?
Other
No response