Comments (5)
I attempted to do this in https://github.com/auth0/node-jwks-rsa/pull/365/files but could not get the tests to pass.
from node-jwks-rsa.
Hi @icco - thanks for raising this
The dependency jsonwebtoken has three medium security vulns this package brings in.
This dependency (same with superagent and formidible) are dev dependencies, used in testing - so this library doesn't bring any of them in when you install this package.
Also, the version of jsonwebtoken that it uses in its testing has been patched for the vulnerabilities you've mentioned
I attempted to do this in #365 (files) but could not get the tests to pass.
Thank you for attempting to update the dev dependencies, we'll take a look at updating them shortly
from node-jwks-rsa.
Hmm, npm (and various security scanners such as snyk and sonatype) think the jsonwebtoken dependency is bringing vulnerabilities into this package.
I wonder if there's some weird dependency resolution happening because of the multiple versions of express-jwt in dev
from node-jwks-rsa.
Don't see any issues in Snyk https://snyk.io/advisor/npm-package/jwks-rsa - let me investigate further
from node-jwks-rsa.
Ah ok, it looks like they're being picked up in the example packages eg https://github.com/auth0/node-jwks-rsa/tree/2fd4582d2be5f3e4fd6ed0d6f2d8bd7103f7434d/examples/koa-demo
I'll make sure we update them when we update the dev dependencies
from node-jwks-rsa.
Related Issues (20)
- Types for JwksClient.getSigningKey still allows callbacks HOT 2
- cache doesn't work for the expressJwtSecret function HOT 3
- Types conflict between [email protected] and [email protected] HOT 2
- FIX BUG TYPES WITH TYPESCRIPT AND AUTH 0 HOT 1
- The JWKS endpoint did not contain any signing keys HOT 2
- cb is not a function HOT 2
- Add pre-fetch keys / tweaks to caching HOT 2
- strictSsl property not available jwksRsa.hapiJwt2KeyAsync HOT 2
- I can't login to my wallet I tried everything else but it is hopeless 😔 I hope you can understand that I created Bitcoin with satoshi nakamoto in 2008
- error in secret or public key callback: The JWKS endpoint did not contain any signing keys HOT 3
- Consider outputting ESM HOT 2
- types referred in dependencies section of package json HOT 2
- Make jwks-rsa resilient in the face of inability to access the underlying JWKS HOT 1
- Provide a way to prevent `getKeysInterceptor` falling back to `jwksUri` when the result doesn't contain the `kid` HOT 2
- No support for Cloudflare Workers HOT 3
- Can't match types definition in @types/[email protected] HOT 2
- error TS2688: Cannot find type definition file for 'express-unless'.
- Bump jose to v5 HOT 3
- Add module-info.java
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-jwks-rsa.