Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MAINT]: Upgrade jsonwebtoken dependency to v9.0.0 #2373

Closed
1 task done
ChuckCox opened this issue Jan 5, 2023 · 5 comments · Fixed by #2374
Closed
1 task done

[MAINT]: Upgrade jsonwebtoken dependency to v9.0.0 #2373

ChuckCox opened this issue Jan 5, 2023 · 5 comments · Fixed by #2374
Labels
released Status: Blocked Some technical or requirement is blocking the issue Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR

Comments

@ChuckCox
Copy link

ChuckCox commented Jan 5, 2023
edited
Loading

Describe the need

The jsonwebtoken v8.5.1 package is reporting a high security vulnerability.

Could this dependency be upgraded to v9.0.0 (https://github.com/auth0/node-jsonwebtoken/tags)?

Here is the npm audit report about the issue:

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install octokit@0.10.4, which is a breaking change
node_modules/jsonwebtoken
  universal-github-app-jwt  <=2.0.0
  Depends on vulnerable versions of jsonwebtoken
  node_modules/universal-github-app-jwt
    @octokit/auth-app  >=2.1.0
    Depends on vulnerable versions of universal-github-app-jwt
    node_modules/@octokit/auth-app
      @octokit/app  >=10.0.0-beta.1
      Depends on vulnerable versions of @octokit/auth-app
      node_modules/@octokit/app
        octokit  >=1.0.0-beta.1
        Depends on vulnerable versions of @octokit/app
        node_modules/octokit

Here is a link to the known SNYK: https://security.snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@ChuckCox ChuckCox added Status: Triage This is being looked at and prioritized Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR labels Jan 5, 2023
@github-project-automation github-project-automation bot moved this to 🆕 Triage in 🧰 Octokit Active Jan 5, 2023
@wolfy1339 wolfy1339 added Priority: Low Status: Blocked Some technical or requirement is blocking the issue and removed Status: Triage This is being looked at and prioritized labels Jan 5, 2023
@wolfy1339
Copy link
Member

There is an ongoing discussion in another repo for this exact reason.

octokit/auth-app.js#430

Let me sum it up:

  • The Octokit packages are CommonJS
  • universal-github-app-jwt is now an ESM module as of v2
  • The jsonwebtoken dependency was upgraded to v9 in v2.1 of universal-github-app-jwt
  • We are waiting for a backport to v1 of universal-github-app-jwt

On another note, we don't use any of the methods described in the CVE affecting jsonwebtoken

@ryanmr
Copy link

ryanmr commented Jan 5, 2023

We use octokit for some integrations / automations, but our automated cve scanner picked this up.

If anyone comes across this issue until this is fixed upstream in the package, and you use yarn, you can use yarn resolutions to specifically override the jsonwebtoken package:

In your package.json:

  "resolutions": {
    "jsonwebtoken": "^9.0.0"
  }

If you use npm 8.19.3 or later, you can also use npm overrides for similar overriding functionality.

Thanks all, for the great package.

@nickfloyd nickfloyd moved this from 🆕 Triage to 🛑 Blocked/Awaiting Response in 🧰 Octokit Active Jan 5, 2023
@wolfy1339
Copy link
Member

Does that work for published packages?
It would be a good stop-gap measure if it did

@gr2m
Copy link
Contributor

gr2m commented Jan 6, 2023

We are waiting for a backport to v1 of universal-github-app-jwt

done: universal-github-app-jwt@1.1.1

deleting node_modules and your lock file and installing from scratch should fix the problem.

@octokit/js @octokit/auth-app should be updated next to force the update to v1.1.1
https://github.com/octokit/auth-app.js/blob/96291b7d942bb80a185fc5712c1af55bc2dacb8c/package.json#L34

@oscard0m oscard0m mentioned this issue Jan 6, 2023
Merged
5 tasks
@wolfy1339 wolfy1339 mentioned this issue Jan 6, 2023
Merged
@github-project-automation github-project-automation bot moved this from 🛑 Blocked/Awaiting Response to ✅ Done in 🧰 Octokit Active Jan 6, 2023
@github-actions
Copy link

github-actions bot commented Jan 6, 2023

🎉 This issue has been resolved in version 2.0.11 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released Status: Blocked Some technical or requirement is blocking the issue Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR
Projects
🧰 Octokit Active
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): update @octokit/app in order to propogate fix to CVE-2022-23541 octokit/octokit.js
4 participants
@ryanmr @gr2m @wolfy1339 @ChuckCox