Security vulnerability caused by jws@3.1.4

[p-brighenti]

In our project, Snyk reported jws@3.1.4 as a dependency with a known security vulnerability, because it depends on jwa@1.1.5.

The latest version of jws (3.1.5), no longer depends on the vulnerable dependency of base64url@2.0.0.

More info about the high severity vulnerability in jws@3.1.4 can be found at https://snyk.io/vuln/npm:base64url:20180511

[kyrylkov]

@ziluvatar FYA

A simple deps update should not take 6 days

[ziluvatar]

@kyrylkov the upgrade is already in this PR: #466

Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.

I want to take a look to the fix from JWS first, I took a fast look yesterday and I'm not sure if the decoding works fine, but I want to do some checks before setting that version as default here, anyway, as I said, you could get it.

[kyrylkov]

Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.

You are correct. Somehow a few days ago (after jws 3.1.5 was released), full re-installation of jsonwebtoken still pulled 3.1.4, but not anymore. Probably package-lock.json was not deleted before re-installation.

[ziluvatar]

v8.2.2 released with this fixed. Thank you all!