fix security with Vulnerable module: base64url

[ddtraceweb]

fix security with Vulnerable module: base64url

[justingreenberg]

Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads (as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below

references:

• https://hackerone.com/reports/321687
• https://nodesecurity.io/advisories/658

Node 4/5 are almost EOL and clearly contain vulnerabilities, maybe time to cut a new major and drop support?

[victor-geere]

jws 3.1.5 doesn't use base64url. that's the whole point of this merge request. we can't use this package while it has a security advisory. please reconsider.

[cjcodes]

@jfromaniello or @ziluvatar can you weigh in here? Haven't heard anything from you guys since this became an issue 5 days ago.

This issue seems to be blocking a lot of folks, especially now that npm audit is becoming a bigger part of teams' deployment pipelines.

[ziluvatar]

Answered in: #465 (comment)

Keep in mind our package.json definition allows JWS patch upgrades, you should be able to get the new JWS release right away.

I want to take a look to the fix from JWS first, I took a fast look yesterday and I'm not sure if the decoding works fine, but I want to do some checks before setting that version as default here, anyway, as I said, you could get it.

[ziluvatar]

@ddtraceweb can you update your branch with latest commits from master branch? I fixed the CI there.

[ziluvatar]

Thanks for the PR @ddtraceweb ! I finally used my PR because I couldn't merge yours without rebasing master. Released on v8.2.2.