search

twilio / twilio-node

Node.js helper library
MIT License
1.37k stars 495 forks source link

Downstream dependency has vulnerability #944

Closed jdforsythe closed 3 months ago

jdforsythe commented 1 year ago

Issue Summary

A summary of the issue and the environment in which it occurs. If suitable, include the steps required to reproduce the bug. Please feel free to include screenshots, screencasts, or code examples.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ twilio                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ twilio > jsonwebtoken > semver                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092310                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps to Reproduce

  1. This is the first step
  2. This is the second step
  3. Further steps, etc.

Code Snippet

# paste code here

Exception/Log

# paste exception/log here

Technical details:

AsabuHere commented 1 year ago

Hi @jdforsythe, Thank you for the heads up! Our team has reviewed the twilio-node repository and dont see semVer dependency added here. Can you please share more details on where is it used?

Thanks, Athira

jdforsythe commented 1 year ago

@AsabuHere You have a dependency on jsonwebtoken which, in turn, has a dependency on semver. The version they depend on is vulnerable.

Issue: https://github.com/auth0/node-jsonwebtoken/issues/905

PR for jsonwebtoken: https://github.com/auth0/node-jsonwebtoken/pull/919

Once a new version of jsonwebtoken is released with the dependency updated, you'll just need to update your dependency to a new version of jsonwebtoken.

tiwarishubham635 commented 3 months ago

Created a PR for this change. Thanks!