[Snyk] Security upgrade jose from 4.6.0 to 4.9.2 - Githubissues

stashaway-engineering / node-my-info-sg

Small wrapper around Singapore MyInfo V3 API for node JS. Wraps the scary-scary 😱 security logic into easy to use APIs

7 stars 4 forks source link

[Snyk] Security upgrade jose from 4.6.0 to 4.9.2 #19

Closed snyk-bot closed 1 year ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	551/1000 Why? Recently disclosed, Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JS-JOSE-3018688	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jose

The new version differs by 60 commits.

db71b3d chore(release): 4.9.2
03d6d01 fix: limit default PBES2 alg's computational expense
8c5cc34 chore: cleanup after publish
8ed39d6 chore(release): 4.9.1
9f3c459 fix(deno): add a Deno package entrypoint
d07c6e9 test: update expectations for P-384 ECDH
664279d chore: cleanup after publish
24484d6 chore(release): 4.9.0
ebf277b chore: add refactors to version logs
d06ce65 feat: add support for RFC 9278 - JWK Thumbprint URI
fe5d093 refactor: unify JOSENotSupported throw on key export
caaf2c3 refactor: consume some base64url decode errors (#436)
fa19e2d docs: update README.md
7895c71 docs: update node.js documentation links (#429)
cc90e88 ci: use deno check to test Deno definitions
ff2e6f5 ci: refresh publish and test action files
f2359aa chore(build): simplify node, npm, and dist
8b99555 docs: update typedoc, format tsdoc
3281e68 chore: cleanup after publish
7b5fe53 chore(release): 4.8.3
af2b2e2 build: remove @ types/web
ddf6677 build: use a package-lock.json lockfile
c48c742 build: lock typedoc semver minor
06b5760 docs: update key export descriptions

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

kroleg commented 1 year ago

Discarding because of medium severity