Please upgrade dependencies

Question

Please upgrade dependencies

icco opened this issue a year ago · comments

Nat Welch commented a year ago

Checklist

I have looked into the Readme and Examples, and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

The dependency jsonwebtoken has three medium security vulns this package brings in.

jsonwebtoken unrestricted key type could lead to legacy keys usage - GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - GHSA-qwph-4952-7xr6

You are also using two type stubs which are polluting the dependency tree: @types/express-jwt and @types/nock

Finally you are using many outdated and unsupported packages, including very old versions of superagent and formidible.

Reproduction

Run npm i - shows warnings of stub packages
Run npm audit - shows all vulnerable packages
Run npm outdated - shows all outdated packages

Additional context

No response

jwks-rsa version

Node.js version

Nat Welch · Answer 1 · Sat May 27 2023 00:00:05 GMT+0800 (China Standard Time)

I attempted to do this in https://github.com/auth0/node-jwks-rsa/pull/365/files but could not get the tests to pass.

Adam Mcgrath · Answer 2 · Tue May 30 2023 16:22:38 GMT+0800 (China Standard Time)

Hi @icco - thanks for raising this

The dependency jsonwebtoken has three medium security vulns this package brings in.

This dependency (same with superagent and formidible) are dev dependencies, used in testing - so this library doesn't bring any of them in when you install this package.

Also, the version of jsonwebtoken that it uses in its testing has been patched for the vulnerabilities you've mentioned

I attempted to do this in #365 (files) but could not get the tests to pass.

Thank you for attempting to update the dev dependencies, we'll take a look at updating them shortly

Nat Welch · Answer 3 · Tue May 30 2023 20:49:31 GMT+0800 (China Standard Time)

Hmm, npm (and various security scanners such as snyk and sonatype) think the jsonwebtoken dependency is bringing vulnerabilities into this package.

I wonder if there's some weird dependency resolution happening because of the multiple versions of express-jwt in dev

Adam Mcgrath · Answer 4 · Tue May 30 2023 21:02:33 GMT+0800 (China Standard Time)

Don't see any issues in Snyk https://snyk.io/advisor/npm-package/jwks-rsa - let me investigate further

Adam Mcgrath · Answer 5 · Tue May 30 2023 21:03:01 GMT+0800 (China Standard Time)

Ah ok, it looks like they're being picked up in the example packages eg https://github.com/auth0/node-jwks-rsa/tree/2fd4582d2be5f3e4fd6ed0d6f2d8bd7103f7434d/examples/koa-demo

I'll make sure we update them when we update the dev dependencies