search

pusher / chatkit-server-node

Node.js SDK for Pusher Chatkit
https://pusher.com/chatkit
MIT License
16 stars 9 forks source link

Upgrade jsonwebtoken dependency to fix vulnerability #18

Closed gianpaj closed 6 years ago

gianpaj commented 6 years ago

What?

❌ High severity vulnerability found in base64url Description: Uninitialized Memory Exposure Info: https://snyk.io/vuln/npm:base64url:20180511 Introduced through: @pusher/chatkit-server@0.12.1 From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > base64url@2.0.0 From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > jwa@1.1.5 > base64url@2.0.0 From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > jwa@1.1.5 > ecdsa-sig-formatter@1.0.9 > base64url@2.0.0 and 3 more... Remediation: ~~Your dependencies are out of date, otherwise you would be using a newer version of base64url. Try deleting node_modules, reinstalling and running snyk test again. If the problem persists,~~~ one of your dependencies may be bundling outdated modules.

Suggested improvements

They fixed it this PR: https://github.com/auth0/node-jsonwebtoken/issues/465

hamchapman commented 6 years ago

Published 0.12.2 that fixes this - thanks!