Closed jfuginay closed 1 year ago
Duplicate Issue #846
We have update our twilio-node v4 release candidate to v9: https://github.com/twilio/twilio-node/blob/4.0.0-rc/package.json#L26
Is it possible to see anywhere when you plan to release v4?
@vetlevo We plan to release v4 on Jan 25 as of current progress, subject to change.
@claudiachua Why not patch earlier versions? This leaves code open for known vulnerabilities for a longer period of time than necessary.
I agree. A simple patch off main that addresses only bumping jsonwebtoken to non vulnerable version seems like the clear best solution.
I could probably migrate our project to aws text service by the end of this month, it shouldn’t take so long to patch a critical vulnerability.
On Fri, Jan 13, 2023 at 4:48 AM max-abclabs @.***> wrote:
@claudiachua https://github.com/claudiachua Why not patch earlier versions? This leaves code open for known vulnerabilities for a longer period of time than necessary.
— Reply to this email directly, view it on GitHub https://github.com/twilio/twilio-node/issues/884#issuecomment-1381805395, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZ7S2XO4SUCVX3GDJGTOMLWSFFJJANCNFSM6AAAAAATYP5WDU . You are receiving this because you authored the thread.Message ID: @.***>
-- J. Wylie
Please see #846 comments:
twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.
We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now)
Issue Summary
jsonwebtoken v9 has been released to address vulnerability found in 8.51 and lower.
Steps to Reproduce
Look at the package.json
Suggest updating twilio dependency to 9 so users of twilio can keep the package and avoid security warning messages.
Resource:
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529/