Update dependency express-jwt to v6 [SECURITY] #7

renovate · 2021-04-26T16:08:36Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
express-jwt	`^3.0.0` -> `^6.0.0`

GitHub Vulnerability Alerts

CVE-2020-15084

Overview

Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration.
When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using express-jwt
AND
You do not have algorithms configured in your express-jwt configuration.
AND
You are using libraries such as jwks-rsa as the secret.

How to fix that?

Specify algorithms in the express-jwt configuration. The following is an example of a proper configuration

const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${DOMAIN}/.well-known/jwks.json`
  }),
  // Validate the audience and the issuer.
  audience: process.env.AUDIENCE,
  issuer: `https://${DOMAIN}/`,
  // restrict allowed algorithms
  algorithms: ['RS256']
});

Will this update impact my users?

The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes algorithms a required configuration.

Credit

IST Group

Release Notes

auth0/express-jwt (express-jwt)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Pin dependency express-jwt to v3.4.0 [SECURITY]~~ Pin dependency express-jwt to 3.4.0 [SECURITY] May 9, 2021

renovate bot changed the title ~~Pin dependency express-jwt to 3.4.0 [SECURITY]~~ Pin dependency express-jwt to v3.4.0 [SECURITY] May 15, 2021

renovate bot changed the title ~~Pin dependency express-jwt to v3.4.0 [SECURITY]~~ Pin dependency express-jwt to v [SECURITY] Mar 7, 2022

renovate bot changed the title ~~Pin dependency express-jwt to v [SECURITY]~~ Pin dependency express-jwt to v3.4.0 [SECURITY] Sep 25, 2022

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 3311ae1 to 5f8af26 Compare November 20, 2022 17:49

renovate bot changed the title ~~Pin dependency express-jwt to v3.4.0 [SECURITY]~~ Update dependency express-jwt to v7 [SECURITY] Nov 20, 2022

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 5f8af26 to 9ee0e89 Compare March 18, 2023 14:08

renovate bot changed the title ~~Update dependency express-jwt to v7 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Mar 18, 2023

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Mar 23, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 9ee0e89 to 7098c8f Compare March 23, 2023 19:12

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Apr 3, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 7098c8f to 111199b Compare April 3, 2023 09:43

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Apr 3, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 111199b to 49f9d57 Compare April 3, 2023 11:38

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 49f9d57 to 135fcd3 Compare April 17, 2023 11:46

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Apr 17, 2023

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Apr 17, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 135fcd3 to 7abac35 Compare April 17, 2023 15:24

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 7abac35 to e73dc0c Compare May 28, 2023 08:33

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] May 28, 2023

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] May 28, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from e73dc0c to 29b917d Compare May 28, 2023 12:52

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 29b917d to 8fc6099 Compare June 4, 2023 14:07

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Jun 4, 2023

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Jun 4, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 8fc6099 to 2727955 Compare June 4, 2023 16:47

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Jun 13, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 2727955 to 926e576 Compare June 13, 2023 13:27

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Jun 16, 2023

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 926e576 to 1534ba8 Compare June 16, 2023 06:09

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Dec 18, 2024

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 5ca8ee7 to f46d83e Compare December 22, 2024 16:25

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Dec 22, 2024

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Dec 22, 2024

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from f46d83e to 55580a7 Compare December 22, 2024 18:46

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 55580a7 to d057355 Compare January 19, 2025 02:13

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Jan 19, 2025

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Jan 19, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch 2 times, most recently from cdd06b0 to 0009101 Compare January 23, 2025 19:41

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Jan 23, 2025

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Jan 23, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch 2 times, most recently from 49172ba to 16560b1 Compare January 30, 2025 16:09

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Jan 30, 2025

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Jan 30, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 16560b1 to 40a7ae1 Compare January 30, 2025 23:14

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 40a7ae1 to 6972aa2 Compare February 9, 2025 16:01

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Feb 9, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 6972aa2 to 1362880 Compare February 9, 2025 18:53

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Feb 9, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 1362880 to a57343d Compare March 3, 2025 13:00

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Mar 3, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from a57343d to 1e4c366 Compare March 3, 2025 18:52

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Mar 3, 2025

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 1e4c366 to 115745a Compare March 11, 2025 16:32

renovate bot changed the title ~~Update dependency express-jwt to v6 [SECURITY]~~ Update dependency express-jwt to v8 [SECURITY] Mar 11, 2025

Update dependency express-jwt to v6 [SECURITY]

b39a5d0

renovate bot force-pushed the renovate/npm-express-jwt-vulnerability branch from 115745a to b39a5d0 Compare March 11, 2025 20:36

renovate bot changed the title ~~Update dependency express-jwt to v8 [SECURITY]~~ Update dependency express-jwt to v6 [SECURITY] Mar 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express-jwt to v6 [SECURITY] #7

Update dependency express-jwt to v6 [SECURITY] #7

renovate bot commented Apr 26, 2021 •

edited

Loading

Update dependency express-jwt to v6 [SECURITY] #7

Are you sure you want to change the base?

Update dependency express-jwt to v6 [SECURITY] #7

Conversation

renovate bot commented Apr 26, 2021 • edited Loading

GitHub Vulnerability Alerts

Overview

Am I affected?

How to fix that?

Will this update impact my users?

Credit

Release Notes

Configuration

renovate bot commented Apr 26, 2021 •

edited

Loading