`jsonwebtoken` version have security issues

[diegoholiveira]

I'm getting a notification about security issues with the current version of jsonwebtoken.

# npm audit report

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6

It would be nice to update it to a safe version.

[NicolasMontone]

Hey @diegoholiveira Thanks for reporting this!

I will tackle this on this week!

Keep in mind that this vulnerability doesn't affect this lib since we use it to check if the JWT saved internally in the SDK is expired with the following code:

  protected isJwtExpired(token: string): boolean {
    const decoded = jwt.decode(token, { complete: true })
    return decoded.payload.exp <= Math.floor(Date.now() / 1000)
  }

I know that the npm audit report is reporting the vulnerability, but just to let you know that this is a fake positive