security vulnerabilities from lodash

[faizhasim]

I'm submitting this issue for the package(s):

• [x] jwt-verifier
• [ ] okta-angular
• [ ] oidc-middleware
• [ ] okta-react
• [ ] okta-react-native

I'm submitting a:

• [x] Bug report
• [ ] Feature request
• [ ] Other (Describe below)

Current behavior

we run security scan for all dependencies and we found out that jwt-verifier is using lodash which contains multiple high level vulnerabilities from our scan:

• https://snyk.io/vuln/SNYK-JS-LODASH-450202

• https://snyk.io/vuln/SNYK-JS-LODASH-590103

• https://snyk.io/vuln/SNYK-JS-LODASH-608086

• https://snyk.io/vuln/SNYK-JS-LODASH-73638

from the look of it, you can try to upgrade your jwks-rsa to latest version which is released 8 hours ago. seems like the auth0 folks updated already address this issue at https://github.com/auth0/node-jwks-rsa/issues/86 last year.

i honestly feel that you should expedite this due to security concerns.

Expected behavior

for all the reported vulnerabilities to be fixed

Minimal reproduction of the problem with instructions

Extra information about the use case/user story you are trying to implement

Environment

• Package Version:
• Browser:
• OS:
• Node version (node -v):
• Other:

[swiftone]

@faizhasim - Thanks for the detailed report, we'll dig into it.

[faizhasim]

Thanks for the fix.