Skip to content
This repository has been archived by the owner on Aug 18, 2020. It is now read-only.

Upgrade jsonwebtoken dependency to fix vulnerability #18

Closed
gianpaj opened this issue Jul 21, 2018 · 1 comment
Closed

Upgrade jsonwebtoken dependency to fix vulnerability #18

gianpaj opened this issue Jul 21, 2018 · 1 comment

Comments

@gianpaj
Copy link

gianpaj commented Jul 21, 2018

What?

❌ High severity vulnerability found in base64url
Description: Uninitialized Memory Exposure
Info: https://snyk.io/vuln/npm:base64url:20180511
Introduced through: @pusher/chatkit-server@0.12.1
From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > base64url@2.0.0
From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > jwa@1.1.5 > base64url@2.0.0
From: @pusher/chatkit-server@0.12.1 > jsonwebtoken@8.2.1 > jws@3.1.4 > jwa@1.1.5 > ecdsa-sig-formatter@1.0.9 > base64url@2.0.0
and 3 more...
Remediation:
~~Your dependencies are out of date, otherwise you would be using a newer version of base64url.
Try deleting node_modules, reinstalling and running snyk test again. If the problem persists,~~~ one of your dependencies may be bundling outdated modules.

Suggested improvements

They fixed it this PR:
auth0/node-jsonwebtoken#465
@hamchapman
Copy link
Contributor

Published 0.12.2 that fixes this - thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gianpaj @hamchapman