-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please upgrade dependencies #366
Comments
I attempted to do this in https://github.com/auth0/node-jwks-rsa/pull/365/files but could not get the tests to pass. |
Hi @icco - thanks for raising this
This dependency (same with superagent and formidible) are dev dependencies, used in testing - so this library doesn't bring any of them in when you install this package. Also, the version of jsonwebtoken that it uses in its testing has been patched for the vulnerabilities you've mentioned
Thank you for attempting to update the dev dependencies, we'll take a look at updating them shortly |
Hmm, npm (and various security scanners such as snyk and sonatype) think the jsonwebtoken dependency is bringing vulnerabilities into this package. I wonder if there's some weird dependency resolution happening because of the multiple versions of express-jwt in dev |
Don't see any issues in Snyk https://snyk.io/advisor/npm-package/jwks-rsa - let me investigate further |
Ah ok, it looks like they're being picked up in the example packages eg https://github.com/auth0/node-jwks-rsa/tree/2fd4582d2be5f3e4fd6ed0d6f2d8bd7103f7434d/examples/koa-demo I'll make sure we update them when we update the dev dependencies |
Checklist
Description
The dependency jsonwebtoken has three medium security vulns this package brings in.
You are also using two type stubs which are polluting the dependency tree: @types/express-jwt and @types/nock
Finally you are using many outdated and unsupported packages, including very old versions of superagent and formidible.
Reproduction
npm i
- shows warnings of stub packagesnpm audit
- shows all vulnerable packagesnpm outdated
- shows all outdated packagesAdditional context
No response
jwks-rsa version
Node.js version
The text was updated successfully, but these errors were encountered: