Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please upgrade dependencies #366

Closed
4 tasks done
icco opened this issue May 26, 2023 · 5 comments · Fixed by #371
Closed
4 tasks done

Please upgrade dependencies #366

icco opened this issue May 26, 2023 · 5 comments · Fixed by #371
Labels
dependencies Pull requests that update a dependency file

Comments

@icco
Copy link

icco commented May 26, 2023

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

The dependency jsonwebtoken has three medium security vulns this package brings in.

  • jsonwebtoken unrestricted key type could lead to legacy keys usage - GHSA-8cf7-32gw-wr33
  • jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - GHSA-hjrf-2m68-5959
  • jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - GHSA-qwph-4952-7xr6

You are also using two type stubs which are polluting the dependency tree: @types/express-jwt and @types/nock

Finally you are using many outdated and unsupported packages, including very old versions of superagent and formidible.

Reproduction

  1. Run npm i - shows warnings of stub packages
  2. Run npm audit - shows all vulnerable packages
  3. Run npm outdated - shows all outdated packages

Additional context

No response

jwks-rsa version

Node.js version
@icco icco added the bug label May 26, 2023
@icco
Copy link
Author

icco commented May 26, 2023

I attempted to do this in https://github.com/auth0/node-jwks-rsa/pull/365/files but could not get the tests to pass.

@adamjmcgrath
Copy link
Contributor

Hi @icco - thanks for raising this

The dependency jsonwebtoken has three medium security vulns this package brings in.

This dependency (same with superagent and formidible) are dev dependencies, used in testing - so this library doesn't bring any of them in when you install this package.

Also, the version of jsonwebtoken that it uses in its testing has been patched for the vulnerabilities you've mentioned

I attempted to do this in #365 (files) but could not get the tests to pass.

Thank you for attempting to update the dev dependencies, we'll take a look at updating them shortly

@adamjmcgrath adamjmcgrath added dependencies Pull requests that update a dependency file and removed bug labels May 30, 2023
@icco
Copy link
Author

icco commented May 30, 2023

Hmm, npm (and various security scanners such as snyk and sonatype) think the jsonwebtoken dependency is bringing vulnerabilities into this package.

I wonder if there's some weird dependency resolution happening because of the multiple versions of express-jwt in dev

@adamjmcgrath
Copy link
Contributor

Don't see any issues in Snyk https://snyk.io/advisor/npm-package/jwks-rsa - let me investigate further

@adamjmcgrath
Copy link
Contributor

Ah ok, it looks like they're being picked up in the example packages eg https://github.com/auth0/node-jwks-rsa/tree/2fd4582d2be5f3e4fd6ed0d6f2d8bd7103f7434d/examples/koa-demo

I'll make sure we update them when we update the dev dependencies

@adamjmcgrath adamjmcgrath mentioned this issue Sep 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies auth0/node-jwks-rsa
2 participants
@icco @adamjmcgrath