shuowu
commented
3 years ago @melanopsis Thanks for the report.
Internal Ref: OKTA-365079
Closed melanopsis closed 2 years ago
shuowu
commented
3 years ago @melanopsis Thanks for the report.
Internal Ref: OKTA-365079
sooryaprakash99
commented
3 years ago @oleksandrpravosudko-okta @okta/jwt-verifier v2.3.0 has jwks-rsa dependency which still uses the axios version v0.21.1.
Axios v0.21.1 has security issues. May I know when will the dependency node module will be updated.
oleksandrpravosudko-okta
commented
3 years ago Thanks for bringing this to our attention @sooryaprakash99. It looks like 0.21.1 vuln was not known at the time previous fix was applied.
I'll log another ticket to have this resolved: Internal Ref: OKTA-432584
ashokkumarsundar
commented
2 years ago This is not fixed yet, when we can expect this fix?
jaredperreault-okta
commented
2 years ago @ashokkumarsundar okta-jwt-verifier has moved to it's own repo and requires axios 0.21.2 or higher
https://github.com/okta/okta-jwt-verifier-js/blob/master/package.json#L44
jared:jwt-verifier$ yarn why axios
yarn why v1.22.17
[1/4] 🤔 Why do we have the module "axios"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "axios@0.21.4"
info Reasons this module exists
- "jwks-rsa" depends on it
- Hoisted from "jwks-rsa#axios"
info Disk size without dependencies: "512KB"
info Disk size with unique dependencies: "560KB"
info Disk size with transitive dependencies: "560KB"
info Number of shared dependencies: 1
✨ Done in 0.36s.
I'm submitting this issue for the package(s):
I'm submitting a:
Security vulnerability in axios (https://www.npmjs.com/advisories/1594) which is a dependency of jwks-rsa. Upgrade jwks-rsa to v.1.12.1 or above.
npm auditoutput