search

okta / okta-oidc-js

okta-oidc-js
https://github.com/okta/okta-oidc-js
Other
395 stars 232 forks source link

Security vulnerabilities in jwt-verifier dependencies #1007

Closed rjbaty closed 3 years ago

rjbaty commented 3 years ago

I'm submitting this issue for the package(s):

I'm submitting a:

Current behavior

Security vulnerabilities found in following dependencies:

Lodash Dependency comes through: @okta/jwt-verifier/2.1.0 --> @okta/configuration-validation/1.0.0 --> lodash/4.17.15

https://nvd.nist.gov/vuln/detail/CVE-2021-23337 Recommended upgrade to lodash/4.17.21

node-ini, normalize_url, path-parse Dependencies all comes through: @okta/jwt-verifier/2.1.0 --> @okta/configuration-validation/1.0.0 --> @okta/okta-auth-js/4.9.2

https://nvd.nist.gov/vuln/detail/CVE-2020-7788 https://nvd.nist.gov/vuln/detail/CVE-2021-33502 https://nvd.nist.gov/vuln/detail/CVE-2021-23343

Recommended upgrade to @okta/okta-auth-js/5.1.0

shuowu commented 3 years ago

@rjbaty Thanks for reporting the issue! Both vulns are actually introduced by @okta/configuration-validation which would be removed from the dependencies list (v2.2.0). You can track the progress #1012

shuowu commented 3 years ago

@okta/jwt-verifier v2.2.0 has been released on npm. Close the issue.