Closed Steve-Groner closed 3 months ago
Facing the exact same issue using node v20.14.0/Ubuntu.
Edit: after some investigations, I noticed that the "njwt"
dependency got updated from "2.0.0"
to "2.0.1"
.
One temporary solution is to add "njwt": "2.0.0"
to force that version in your package.json
It's because of the njwt
dependency updating from v2.0.0 to v2.0.1:
https://github.com/jwtk/njwt/blob/master/CHANGELOG.md#201
To fix a CVE, they are now freezing all their classes and their prototypes:
We're also being affected by this at @guardian. This hit us because our production builds use pnpm install --node-linker=hoisted
, which appears to create a new lockfile in the build directory, which in turn pulls in njwt@2.0.1
rather than njwt@2.0.0
in our existing lockfile. We're copying the lockfile into the build directory to avoid this, but Okta should probably be pinning njwt
to a specific version.
Thanks for the report, I am looking into this
I just published 3.2.1
which freezes the njwt
dependency to mitigate the impact. I'll work on bumping the njwt
version next
3.2.2
Describe the bug
I upgraded to NodeJS 22.3.0 and I am receiving
/Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241 jwt[methodName] = method.bind({ body: jwtBodyProxy }); ^ TypeError: Cannot assign to read only property 'setClaim' of object '[object Object]' at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241:29 at Array.forEach (<anonymous>) at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:238:30 at /Users/username/Documents/repos/application/src/bff_api/node_modules/njwt/index.js:63:7 at process.processTicksAndRejections (node:internal/process/task_queues:77:11)
Source Code in my api:
const oktaJwtVerifier = new OktaJwtVerifier({ issuer: inputOktaIssuer })
` verifyToken: async function verifyToken (req, res, next) { const authHeader = req.headers.authorization // ['authorization'] const token = authHeader && authHeader.split(' ')[1]
} `
Reproduction Steps?
I make an API call from my frontend app to my backend api, which verifies the Okta token. When using nodejs 18.x it worked fine, but now with this version it fails with the above error. I discovered this because my docker pull for base image must have upgraded to a new version of Node and it started failing.
SDK Versions
System: OS: macOS 14.5 CPU: (16) x64 Intel(R) Core(TM) i7-10700K CPU @ 3.80GHz Memory: 21.12 GB / 72.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 22.3.0 - ~/.nvm/versions/node/v22.3.0/bin/node npm: 10.8.1 - ~/.nvm/versions/node/v22.3.0/bin/npm Browsers: Chrome: 125.0.6422.144 Safari: 17.5 npmPackages: @okta/jwt-verifier: ^3.2.0 => 3.2.0
Additional Information
No response