Update dependency jsonwebtoken to v9 #75

mend-for-github-com · 2022-12-23T01:27:55Z

This PR contains the following updates:

Package	Type	Update	Change
jsonwebtoken	dependencies	major	`^8.5.1` -> `^9.0.0`

By merging this PR, the issue #74 will be automatically resolved and closed:

auth0/node-jsonwebtoken

Breaking changes: See Migration from v8 to v9

Removed support for Node versions 11 and below.
The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
Key types must be valid for the signing / verification algorithm

security: fixes Arbitrary File Write via verify function - CVE-2022-23529
security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Update dependency jsonwebtoken to v9

bc961d0

mend-for-github-com bot added the security fix Security fix generated by Mend label Dec 23, 2022

marcioaffonso merged commit ba6ddf0 into main Jan 10, 2023

mend-for-github-com bot deleted the whitesource-remediate/jsonwebtoken-9.x branch January 10, 2023 21:44

Provide feedback