panva
commented
3 years ago Closed roderik closed 3 years ago
panva
commented
3 years ago 
michaelpinnell
commented
3 years ago I may be a bit off base here, but I'm confused by what you mean when you say it's not referring to the jose module mentioned in the CVE, when the 3.11.4 version of jose @roderik mentioned directly states that it resolves those CVE issues
.
michaelpinnell
commented
3 years ago As a secondary follow-up I'm curious if the number of breaking changes between 1.28.1 and 3.11.4 make an update prohibitively difficult
panva
commented
3 years ago @michaelpinnell read the cve details. They contain the package names and fixed versions for each.
michaelpinnell
commented
3 years ago Ah gotcha, so its because the issues are with the smaller jose-node-cjs-runtime, jose-node-esm-runtime, and jose-browser-runtime packages specifically, but don't impact the larger universal module? Sorry if I'm being obnoxious, just trying to get my ducks in a row before disputing the security tool we use
panva
commented
3 years ago https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch is the only advisory affecting the "jose" module. The other three are for specific runtimes. You can see the patched versions are different in these because they only started being released in v3.x
Describe the bug
This package depends on an older version of jose, which has issued 2 CVE for anything below version 3.11.4
https://nvd.nist.gov/vuln/detail/CVE-2021-29445 https://nvd.nist.gov/vuln/detail/CVE-2021-29446