Bump jose to v5

Question

Bump jose to v5

karlismelderis-mckinsey opened this issue 4 months ago · comments

Karlis Melderis commented 4 months ago

Checklist

I have looked into the Readme and Examples, and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I believe jose v4 is no longer supported

Describe the ideal solution

bump dependency to v5

Alternatives and current workarounds

No response

Additional context

No response

Sebastian Sipos · Answer 1 · Fri Mar 08 2024 16:58:57 GMT+0800 (China Standard Time)

agreed, seeing as JOSE 4.15 is now flagged by audit:

$ npm audit
# npm audit report

jose  3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix`
node_modules/jwks-rsa/node_modules/jose

Filip Skokan · Answer 2 · Tue Mar 12 2024 16:59:32 GMT+0800 (China Standard Time)

I believe jose v4 is no longer supported

It clearly is https://github.com/panva/jose#supported-versions

agreed, seeing as JOSE 4.15 is now flagged by audit:

4.15.5 and 2.0.7 was released as per the Supported Versions matrix to fix the vulnerability in those release lines.

jose to v5

not necessary, all you need to do is to run whatever equivalent of npm upgrade in your package manager is, 4.15.5 will be installed and there's no longer an issue.

blindperson · Answer 3 · Wed May 22 2024 17:46:18 GMT+0800 (China Standard Time)

Hi team, do we have any plan to ship in this pr?
#405