Bump jose from 4.11.2 to 5.2.4

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

70 stars 152 forks source link

Bump jose from 4.11.2 to 5.2.4 #1902

Closed cwperks closed 5 months ago

cwperks commented 5 months ago

Description

Bump jose from 4.11.2 to 5.2.4

Addresses CVE-2024-28176

Check List

[X] New functionality includes testing
[X] New functionality has been documented
[X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

cwperks commented 5 months ago

Here's the release notes from v5: https://github.com/panva/jose/releases/tag/v5.0.0

If v5 causes issues then this can also be upgraded to 4.15.5: https://www.npmjs.com/package/jose/v/4.15.5

cwperks commented 5 months ago

@cwperks shall we wait until the CVE is actually published prior to merge?

It can be merged now. 4.11.2 is from a year ago and there have been many versions published since.

opensearch-project / security-dashboards-plugin

Bump jose from 4.11.2 to 5.2.4 #1902

Description

Category

Check List