rithinch / event-driven-microservices-docker-example

🐳 Simple example of event driven communication between microservices, based on Docker containers, Docker Compose and RabbitMQ. Microservices are implemented in Node.js using Koa.
MIT License
250 stars 87 forks source link

[Snyk] Security upgrade koa-jwt from 3.6.0 to 4.0.4 #42

Open rithinch opened 1 year ago

rithinch commented 1 year ago

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - services/user-management/package.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **671/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 7.7 | Improper Input Validation
[SNYK-JS-JSONWEBTOKEN-3180020](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020) | Yes | No Known Exploit ![critical severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/c.png "critical severity") | **776/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 9.8 | Improper Authentication
[SNYK-JS-JSONWEBTOKEN-3180022](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022) | Yes | No Known Exploit ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **611/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 6.5 | Improper Restriction of Security Token Assignment
[SNYK-JS-JSONWEBTOKEN-3180024](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024) | Yes | No Known Exploit ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **626/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 6.8 | Use of a Broken or Risky Cryptographic Algorithm
[SNYK-JS-JSONWEBTOKEN-3180026](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: koa-jwt The new version differs by 46 commits.
  • ac272c0 4.0.4
  • 0599444 Bump jsonwebtoken from 8.5.1 to 9.0.0
  • 634c5c0 Bump qs from 6.9.3 to 6.11.0 (#192)
  • aabdf9d Bump ansi-regex from 3.0.0 to 3.0.1 (#190)
  • 54abffc Bump minimist from 1.2.5 to 1.2.6 (#189)
  • 8ae721d Bump pathval from 1.1.0 to 1.1.1 (#187)
  • 81e326b chore: bump to 4.0.3
  • 3e83be9 4.0.2
  • c667787 Export more interfaces
  • 45bdca6 Bump path-parse from 1.0.6 to 1.0.7 (#184)
  • e944009 Bump glob-parent from 5.1.1 to 5.1.2
  • 3fb4bb7 Bump lodash from 4.17.19 to 4.17.21
  • e1d9f1e 4.0.1
  • aa6e10a Bump y18n from 4.0.0 to 4.0.1
  • d663492 Bump lodash from 4.17.15 to 4.17.19
  • 8ac436f Fix typing of `getToken`
  • f694cb6 support leading/trailing whitespace in Authorization header value
  • c073cf2 4.0.0
  • 735b89d Add missing options:
  • fa27b12 Detail explicitly middleware's options in README
  • d7f9678 Fix typing of `path` property (#172)
  • 7454df4 Merge pull request #157 from buuug7/master
  • c680e0c chore: bump deps, update yarn.lock
  • 98f2d7d Update the repo 🚀 ! (#167)
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/rithinch/project/86b54971-b6af-468c-8049-85d70ee25168?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/rithinch/project/86b54971-b6af-468c-8049-85d70ee25168?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"16b18f23-17ca-4caf-b829-87739d013ef8","prPublicId":"16b18f23-17ca-4caf-b829-87739d013ef8","dependencies":[{"name":"koa-jwt","from":"3.6.0","to":"4.0.4"}],"packageManager":"npm","projectPublicId":"86b54971-b6af-468c-8049-85d70ee25168","projectUrl":"https://app.snyk.io/org/rithinch/project/86b54971-b6af-468c-8049-85d70ee25168?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-JSONWEBTOKEN-3180020","SNYK-JS-JSONWEBTOKEN-3180022","SNYK-JS-JSONWEBTOKEN-3180024","SNYK-JS-JSONWEBTOKEN-3180026"],"upgrade":["SNYK-JS-JSONWEBTOKEN-3180020","SNYK-JS-JSONWEBTOKEN-3180022","SNYK-JS-JSONWEBTOKEN-3180024","SNYK-JS-JSONWEBTOKEN-3180026"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore"],"priorityScoreList":[671,776,611,626]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Use of a Broken or Risky Cryptographic Algorithm](https://learn.snyk.io/lessons/insecure-hash/javascript/?loc=fix-pr)
sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication