-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project package.json contains vulnerable version of jsonwebtoken #884
Comments
Duplicate Issue #846 |
We have update our twilio-node v4 release candidate to v9: https://github.com/twilio/twilio-node/blob/4.0.0-rc/package.json#L26 |
Is it possible to see anywhere when you plan to release v4? |
@vetlevo We plan to release v4 on Jan 25 as of current progress, subject to change. |
@claudiachua |
I agree. A simple patch off main that addresses only bumping jsonwebtoken
to non vulnerable version seems like the clear best solution.
I could probably migrate our project to aws text service by the end of this
month, it shouldn’t take so long to patch a critical vulnerability.
On Fri, Jan 13, 2023 at 4:48 AM max-abclabs ***@***.***> wrote:
@claudiachua <https://github.com/claudiachua>
Why not patch earlier versions? This leaves code open for known
vulnerabilities for a longer period of time than necessary.
—
Reply to this email directly, view it on GitHub
<#884 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACZ7S2XO4SUCVX3GDJGTOMLWSFFJJANCNFSM6AAAAAATYP5WDU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
J. Wylie
|
Please see #846 comments: twilio-node v3 supports Node v6/8/10 which are not supported by jsonwebtoken v9. But, after reviewing the vulnerabilities in jsonwebtoken v8, our helper lib is not affected (we don’t verify signatures, only do the signing, and we use default algorithms) so no action is planned. We have a twilio-node v4 release candidate available here https://github.com/twilio/twilio-node/tree/4.0.0-rc which drops support for Node < v14 (since v14 is the oldest maintained Node version right now) |
Issue Summary
jsonwebtoken v9 has been released to address vulnerability found in 8.51 and lower.
Steps to Reproduce
Look at the package.json
Suggest updating twilio dependency to 9 so users of twilio can keep the package and avoid security warning messages.
Resource:
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529/
The text was updated successfully, but these errors were encountered: