jwks-rsa publishes examples to npm registry which causes security violations #189

anthony-telljohann · 2020-10-06T14:00:02Z

Description

jwks-rsa publishes the examples directory to npm. The examples contain non-production code which security tools such as NexusIQ will scan and report vulnerabilities on which is the case with koa.

The text was updated successfully, but these errors were encountered:

richgerrard · 2020-10-07T20:04:14Z

We also consume you, and we are seeing CVE-2020-15084 flagged in our CI process because you are including express-jwt in your example directory:
Ex: /usr/src/app/node_modules/jwks-rsa/examples/express-demo/node_modules/express-jwt

It is imperative that you do not include dependencies in the example folder of your node module.

Closes: #189 Currently, the examples directory is published in the npm package. This results in `jwks-rsa` being flagged with `CVE-2020-15084` since the example included installs express-jwt. A simple solution to this is to add `examples` to `.npmignore`

richgerrard mentioned this issue Oct 8, 2020

fix: Do not publish examples #190

Merged

2 tasks

frederikprijck closed this as completed in #190 Oct 8, 2020

snyk-bot mentioned this issue Jan 8, 2023

[Snyk] Security upgrade koa-jwt from 3.6.0 to 4.0.4 donavon/node-jwks-rsa#18

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jwks-rsa publishes examples to npm registry which causes security violations #189

jwks-rsa publishes examples to npm registry which causes security violations #189

anthony-telljohann commented Oct 6, 2020 •

edited

Loading

richgerrard commented Oct 7, 2020

jwks-rsa publishes examples to npm registry which causes security violations #189

jwks-rsa publishes examples to npm registry which causes security violations #189

Comments

anthony-telljohann commented Oct 6, 2020 • edited Loading

Description

richgerrard commented Oct 7, 2020

anthony-telljohann commented Oct 6, 2020 •

edited

Loading