search

octokit / octokit.js

The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno.
MIT License
7.02k stars 1.03k forks source link

[MAINT]: Upgrade jsonwebtoken dependency to v9.0.0 #2373

Closed ChuckCox closed 1 year ago

ChuckCox commented 1 year ago

Describe the need

The jsonwebtoken v8.5.1 package is reporting a high security vulnerability.

Could this dependency be upgraded to v9.0.0 (https://github.com/auth0/node-jsonwebtoken/tags)?

Here is the npm audit report about the issue: 

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install octokit@0.10.4, which is a breaking change
node_modules/jsonwebtoken
  universal-github-app-jwt  <=2.0.0
  Depends on vulnerable versions of jsonwebtoken
  node_modules/universal-github-app-jwt
    @octokit/auth-app  >=2.1.0
    Depends on vulnerable versions of universal-github-app-jwt
    node_modules/@octokit/auth-app
      @octokit/app  >=10.0.0-beta.1
      Depends on vulnerable versions of @octokit/auth-app
      node_modules/@octokit/app
        octokit  >=1.0.0-beta.1
        Depends on vulnerable versions of @octokit/app
        node_modules/octokit

Here is a link to the known SNYK: https://security.snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

wolfy1339 commented 1 year ago

There is an ongoing discussion in another repo for this exact reason.

https://github.com/octokit/auth-app.js/issues/430

Let me sum it up:

On another note, we don't use any of the methods described in the CVE affecting jsonwebtoken

ryanmr commented 1 year ago

We use octokit for some integrations / automations, but our automated cve scanner picked this up.

If anyone comes across this issue until this is fixed upstream in the package, and you use yarn, you can use yarn resolutions to specifically override the jsonwebtoken package:

In your package.json:

  "resolutions": {
    "jsonwebtoken": "^9.0.0"
  }

If you use npm 8.19.3 or later, you can also use npm overrides for similar overriding functionality.

Thanks all, for the great package.

wolfy1339 commented 1 year ago

Does that work for published packages? It would be a good stop-gap measure if it did

gr2m commented 1 year ago

We are waiting for a backport to v1 of universal-github-app-jwt

done: universal-github-app-jwt@1.1.1

deleting node_modules and your lock file and installing from scratch should fix the problem.

@octokit/js @octokit/auth-app should be updated next to force the update to v1.1.1 https://github.com/octokit/auth-app.js/blob/96291b7d942bb80a185fc5712c1af55bc2dacb8c/package.json#L34

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 2.0.11 :tada:

The release is available on:

Your semantic-release bot :package::rocket: