-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency jsrsasign of angular-oauth2-oidc-jwks has a critical vulnerability #1061
Comments
Any updates on this? I'd really appreciate this to be fixed. Or even better, are there any chances to get the implicit flow running without jsrsasign? Unfortunately there is currently no chance to use Code Flow in my project... |
No updates on any fix, but as to your other question:
Your only options will be either using the |
I submitted a PR with the version bump; meanwhile, you can use the workaround described here: https://stackoverflow.com/a/62956076/26391 |
@jeroenheijmans @coyoteecd thanks for the advice! I think I'll wait a few more days for the PR to be merged as I'm not aware of all the breaking changes between two major versions of jsrsasign and their implications on angular-oauth2-oidc. |
FWIW I can confirm that my production application has pinned (in package-lock.json) jsrsasign on 10.2.0+ and runs smoothly with it so far. |
I just updated angular-oauth2-oidc to version 12.0.1 from previously 9.x. When running npm install I get
On the other hand in the readme it states:
what sounds to me like version 12.x of the library should also work with older Versions of Angular (I'm using 9.x) So can I just ignore the npm warning? my do you have angular >= 12 as a requirement if you say it should also work with older versions? |
answered in #1111 |
Is there any news about this issue? |
Describe the bug
angular-oauth2-oidc-jwks has a dependency
"jsrsasign": "^8.0.12"
CVE-2021-30246 has been published with a CVSS 3.x score of 9.1 and affects all versions of jsrsasign prior to 10.2.0
References
See https://nvd.nist.gov/vuln/detail/CVE-2021-30246 & GHSA-27fj-mc8w-j9wg
I'll try and a raise a PR to update that dependency later today as it would be great to get this resolved ASAP
The text was updated successfully, but these errors were encountered: