search

twilio / twilio-node

Node.js helper library
MIT License
1.37k stars 497 forks source link

Project package.json contains vulnerable version of jsonwebtoken #884

Closed jfuginay closed 1 year ago

jfuginay commented 1 year ago

Issue Summary

jsonwebtoken v9 has been released to address vulnerability found in 8.51 and lower.

Steps to Reproduce

Look at the package.json

Suggest updating twilio dependency to 9 so users of twilio can keep the package and avoid security warning messages.

Resource:

https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529/

claudiachua commented 1 year ago

Duplicate Issue #846

claudiachua commented 1 year ago

We have update our twilio-node v4 release candidate to v9: https://github.com/twilio/twilio-node/blob/4.0.0-rc/package.json#L26

vetlevo commented 1 year ago

Is it possible to see anywhere when you plan to release v4?

claudiachua commented 1 year ago

@vetlevo We plan to release v4 on Jan 25 as of current progress, subject to change.

max-abclabs commented 1 year ago

@claudiachua Why not patch earlier versions? This leaves code open for known vulnerabilities for a longer period of time than necessary.

jfuginay commented 1 year ago

I agree. A simple patch off main that addresses only bumping jsonwebtoken to non vulnerable version seems like the clear best solution.

I could probably migrate our project to aws text service by the end of this month, it shouldn’t take so long to patch a critical vulnerability.

On Fri, Jan 13, 2023 at 4:48 AM max-abclabs @.***> wrote:

@claudiachua https://github.com/claudiachua Why not patch earlier versions? This leaves code open for known vulnerabilities for a longer period of time than necessary.

— Reply to this email directly, view it on GitHub https://github.com/twilio/twilio-node/issues/884#issuecomment-1381805395, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZ7S2XO4SUCVX3GDJGTOMLWSFFJJANCNFSM6AAAAAATYP5WDU . You are receiving this because you authored the thread.Message ID: @.***>

-- J. Wylie

claudiachua commented 1 year ago

Please see #846 comments:

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.

We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now)