Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Do not publish examples #190

Merged
merged 1 commit into from
Oct 8, 2020
Merged

fix: Do not publish examples #190

merged 1 commit into from
Oct 8, 2020

Conversation

richgerrard
Copy link
Contributor

Closes: #189

Currently, the examples directory is published in the npm package. This results in jwks-rsa being flagged with CVE-2020-15084 since the example included installs express-jwt. A simple solution to this is to add examples to .npmignore

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

In CI checks, consumers of the jwks-rsa node module will scan the resulting images for known security vulnerabilities and block deploys when packages with known vulnerabilities are discovered.

Complicating matters, some modules publish to NPM with "example" directories containing other packages that aren't needed at runtime. This practise stalls deployment pipelines and contributes unwanted files to runtime images.

jwks-rsa:1.5.1 was flagged for including express-jwt:3.4.0 in the examples directory. This package was flagged for containing CVE-2020-15084 at path /usr/src/app/node_modules/jwks-rsa/examples/express-demo/node_modules/express-jwt

References

https://nvd.nist.gov/vuln/detail/CVE-2020-15084

Testing

Publish dry-run:

npm publish --dry-run

Checklist

  • [N/A] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@richgerrard
fix: Do not publish examples
ff1d3cd 
Closes: #189

Currently, the examples directory is published in the npm package. This results in `jwks-rsa` being flagged with `CVE-2020-15084` since the example included installs express-jwt. A simple solution to this is to add `examples` to `.npmignore`
@richgerrard richgerrard requested a review from a team October 8, 2020 13:17
@frederikprijck
Copy link
Member

Thanks for this fix @richgerrard!

@frederikprijck frederikprijck merged commit 872bc4d into auth0:master Oct 8, 2020
@richgerrard richgerrard deleted the patch-1 branch October 8, 2020 13:43
@snyk-bot snyk-bot mentioned this pull request Jan 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frederikprijck frederikprijck frederikprijck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

jwks-rsa publishes examples to npm registry which causes security violations
2 participants
@richgerrard @frederikprijck