Closed roderik closed 3 years ago
I may be a bit off base here, but I'm confused by what you mean when you say it's not referring to the jose module mentioned in the CVE, when the 3.11.4 version of jose @roderik mentioned directly states that it resolves those CVE issues
.
As a secondary follow-up I'm curious if the number of breaking changes between 1.28.1 and 3.11.4 make an update prohibitively difficult
@michaelpinnell read the cve details. They contain the package names and fixed versions for each.
Ah gotcha, so its because the issues are with the smaller jose-node-cjs-runtime, jose-node-esm-runtime, and jose-browser-runtime packages specifically, but don't impact the larger universal module? Sorry if I'm being obnoxious, just trying to get my ducks in a row before disputing the security tool we use
https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch is the only advisory affecting the "jose" module. The other three are for specific runtimes. You can see the patched versions are different in these because they only started being released in v3.x
Describe the bug
This package depends on an older version of jose, which has issued 2 CVE for anything below version 3.11.4
https://nvd.nist.gov/vuln/detail/CVE-2021-29445 https://nvd.nist.gov/vuln/detail/CVE-2021-29446