Bump jose to v5
karlismelderis-mckinsey opened this issue · comments
Checklist
- I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
I believe jose v4 is no longer supported
Describe the ideal solution
bump dependency to v5
Alternatives and current workarounds
No response
Additional context
No response
agreed, seeing as JOSE 4.15 is now flagged by audit:
$ npm audit
# npm audit report
jose 3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix`
node_modules/jwks-rsa/node_modules/jose
I believe jose v4 is no longer supported
It clearly is https://github.com/panva/jose#supported-versions
agreed, seeing as JOSE 4.15 is now flagged by audit:
4.15.5 and 2.0.7 was released as per the Supported Versions matrix to fix the vulnerability in those release lines.
jose to v5
not necessary, all you need to do is to run whatever equivalent of npm upgrade
in your package manager is, 4.15.5 will be installed and there's no longer an issue.
Hi team, do we have any plan to ship in this pr?
#405