Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project package.json contains vulnerable version of jsonwebtoken #884

Closed
jfuginay opened this issue Jan 11, 2023 · 7 comments
Closed

Project package.json contains vulnerable version of jsonwebtoken #884

jfuginay opened this issue Jan 11, 2023 · 7 comments
Labels
status: duplicate duplicate issue

Comments

@jfuginay
Copy link

Issue Summary

jsonwebtoken v9 has been released to address vulnerability found in 8.51 and lower.

Steps to Reproduce

Look at the package.json

Suggest updating twilio dependency to 9 so users of twilio can keep the package and avoid security warning messages.

Resource:

https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529/
@jfuginay jfuginay mentioned this issue Jan 11, 2023
Closed
2 tasks
@claudiachua claudiachua added status: duplicate duplicate issue status: waiting for feedback waiting for feedback from the submitter and removed status: waiting for feedback waiting for feedback from the submitter labels Jan 11, 2023
@claudiachua
Copy link

Duplicate Issue #846

@claudiachua
Copy link

We have update our twilio-node v4 release candidate to v9: https://github.com/twilio/twilio-node/blob/4.0.0-rc/package.json#L26

@vetlevo
Copy link

vetlevo commented Jan 12, 2023

Is it possible to see anywhere when you plan to release v4?

@claudiachua
Copy link

@vetlevo We plan to release v4 on Jan 25 as of current progress, subject to change.

@isha689 isha689 mentioned this issue Jan 13, 2023
Closed
@max-abclabs
Copy link

@claudiachua
Why not patch earlier versions? This leaves code open for known vulnerabilities for a longer period of time than necessary.

@jfuginay
Copy link
Author

jfuginay commented Jan 13, 2023 via email

@claudiachua
Copy link

Please see #846 comments:

twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned.

We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate duplicate issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update jsonwebtoken to v9.0.0 jfuginay/twilio-node
4 participants
@jfuginay @vetlevo @claudiachua @max-abclabs