Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: Bump jsonwebtoken and twilio (#380)
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) to 9.0.2 and updates ancestor dependency [twilio](https://github.com/twilio/twilio-node). These dependencies need to be updated together. Updates `jsonwebtoken` from 8.5.1 to 9.0.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md">jsonwebtoken's changelog</a>.</em></p> <blockquote> <h2>9.0.2 - 2023-08-30</h2> <ul> <li>security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes <a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/921">#921</a>.</li> <li>refactor: reduce library size by using lodash specific dependencies, closes <a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/878">#878</a>.</li> </ul> <h2>9.0.1 - 2023-07-05</h2> <ul> <li>fix(stubs): allow decode method to be stubbed</li> </ul> <h2>9.0.0 - 2022-12-21</h2> <p><strong>Breaking changes: See <a href="https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9">Migration from v8 to v9</a></strong></p> <h3>Breaking changes</h3> <ul> <li>Removed support for Node versions 11 and below.</li> <li>The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]<a href="https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16">https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16</a>)</li> <li>RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]<a href="https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6">https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6</a>)</li> <li>Key types must be valid for the signing / verification algorithm</li> </ul> <h3>Security fixes</h3> <ul> <li>security: fixes <code>Arbitrary File Write via verify function</code> - CVE-2022-23529</li> <li>security: fixes <code>Insecure default algorithm in jwt.verify() could lead to signature validation bypass</code> - CVE-2022-23540</li> <li>security: fixes <code>Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC</code> - CVE-2022-23541</li> <li>security: fixes <code>Unrestricted key type could lead to legacy keys usage</code> - CVE-2022-23539</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/bc28861f1fa981ed9c009e29c044a19760a0b128"><code>bc28861</code></a> Release 9.0.2 (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/935">#935</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/96b89060cfc19272a7d853f53cb28c42580a6a67"><code>96b8906</code></a> refactor: use specific lodash packages (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/933">#933</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/ed35062239c0195d4341025d4699cc39608b435e"><code>ed35062</code></a> security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/932">#932</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/84539b29e17fd40ed25c53fc28db8ae41a34aff8"><code>84539b2</code></a> Updating package version to 9.0.1 (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/920">#920</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/a99fd4b473e257c2f50ff69c716db1c520bf9a78"><code>a99fd4b</code></a> fix(stubs): allow decode method to be stubbed (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/876">#876</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"><code>e1fa9dc</code></a> Merge pull request from GHSA-8cf7-32gw-wr33</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/5eaedbf2b01676d952336e73b4d2efba847d2d1b"><code>5eaedbf</code></a> chore(ci): remove github test actions job (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/861">#861</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/cd4163eb1407aab0b3148f91b0b9c26276b96c6b"><code>cd4163e</code></a> chore(ci): configure Github Actions jobs for Tests & Security Scanning (<a href="https://redirect.github.com/auth0/node-jsonwebtoken/issues/856">#856</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6"><code>ecdf6cc</code></a> fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16"><code>8345030</code></a> fix(sign&verify)!: Remove default <code>none</code> support from <code>sign</code> and <code>verify</code> met...</li> <li>Additional commits viewable in <a href="https://github.com/auth0/node-jsonwebtoken/compare/v8.5.1...v9.0.2">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~charlesrea">charlesrea</a>, a new releaser for jsonwebtoken since your current version.</p> </details> <br /> Updates `twilio` from 3.84.1 to 4.20.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/twilio/twilio-node/releases">twilio's releases</a>.</em></p> <blockquote> <h2>4.20.0</h2> <h2><strong>Release Notes</strong></h2> <p><strong>Api</strong></p> <ul> <li>Updated service base url for connect apps and authorized connect apps APIs <strong>(breaking change)</strong></li> </ul> <p><strong>Events</strong></p> <ul> <li>Marked as GA</li> </ul> <p><strong>Insights</strong></p> <ul> <li>decommission voice-qualitystats-endpoint role</li> </ul> <p><strong>Numbers</strong></p> <ul> <li>Add Get Port In request api</li> </ul> <p><strong>Taskrouter</strong></p> <ul> <li>Add <code>jitter_buffer_size</code> param in update reservation</li> </ul> <p><strong>Trusthub</strong></p> <ul> <li>Add additional optional fields in compliance_tollfree_inquiry.json</li> </ul> <p><strong>Verify</strong></p> <ul> <li>Remove <code>Tags</code> from Public Docs <strong>(breaking change)</strong></li> </ul> <p><strong><a href="https://twilio.com/docs/libraries/reference/twilio-node/4.20.0/index.html">Docs</a></strong></p> <h2>4.19.3</h2> <h2><strong>Release Notes</strong></h2> <p><strong>Verify</strong></p> <ul> <li>Add <code>VerifyEventSubscriptionEnabled</code> parameter to service create and update endpoints.</li> </ul> <p><strong><a href="https://twilio.com/docs/libraries/reference/twilio-node/4.19.3/index.html">Docs</a></strong></p> <h2>4.19.0</h2> <h2><strong>Release Notes</strong></h2> <p><strong>Library - Chore</strong></p> <ul> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/966">#966</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/966">twilio/twilio-node#966</a>): upgraded semver versions. Thanks to <a href="https://github.com/sbansla"><code>@sbansla</code></a>!</li> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/964">#964</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/964">twilio/twilio-node#964</a>): added feature request issue template. Thanks to <a href="https://github.com/sbansla"><code>@sbansla</code></a>!</li> </ul> <p><strong>Accounts</strong></p> <ul> <li>Updated Safelist metadata to correct the docs.</li> <li>Add Global SafeList API changes</li> </ul> <p><strong>Api</strong></p> <ul> <li>Added optional parameter <code>CallToken</code> for create participant api</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/twilio/twilio-node/blob/main/CHANGES.md">twilio's changelog</a>.</em></p> <blockquote> <h2>[2023-12-14] Version 4.20.0</h2> <p><strong>Api</strong></p> <ul> <li>Updated service base url for connect apps and authorized connect apps APIs <strong>(breaking change)</strong></li> </ul> <p><strong>Events</strong></p> <ul> <li>Marked as GA</li> </ul> <p><strong>Insights</strong></p> <ul> <li>decommission voice-qualitystats-endpoint role</li> </ul> <p><strong>Numbers</strong></p> <ul> <li>Add Get Port In request api</li> </ul> <p><strong>Taskrouter</strong></p> <ul> <li>Add <code>jitter_buffer_size</code> param in update reservation</li> </ul> <p><strong>Trusthub</strong></p> <ul> <li>Add additional optional fields in compliance_tollfree_inquiry.json</li> </ul> <p><strong>Verify</strong></p> <ul> <li>Remove <code>Tags</code> from Public Docs <strong>(breaking change)</strong></li> </ul> <h2>[2023-12-01] Version 4.19.3</h2> <p><strong>Verify</strong></p> <ul> <li>Add <code>VerifyEventSubscriptionEnabled</code> parameter to service create and update endpoints.</li> </ul> <h2>[2023-11-17] Version 4.19.2</h2> <p><strong>Library - Chore</strong></p> <ul> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/971">#971</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/971">twilio/twilio-node#971</a>): Update axios to 1.6 to pull in fix for CVE 2023 45857. Thanks to <a href="https://github.com/kitu-apietila"><code>@kitu-apietila</code></a>!</li> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/963">#963</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/963">twilio/twilio-node#963</a>): Removing Test Related To Deprecated Endpoint - OAuth. Thanks to <a href="https://github.com/KobeBrooks"><code>@KobeBrooks</code></a>!</li> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/958">#958</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/958">twilio/twilio-node#958</a>): twilio help changes. Thanks to <a href="https://github.com/kridai"><code>@kridai</code></a>!</li> <li>[PR <a href="https://redirect.github.com/twilio/twilio-node/issues/978">#978</a>](<a href="https://redirect.github.com/twilio/twilio-node/pull/978">twilio/twilio-node#978</a>): Removed LTS version. Thanks to <a href="https://github.com/tiwarishubham635"><code>@tiwarishubham635</code></a>!</li> </ul> <p><strong>Api</strong></p> <ul> <li>Update documentation to reflect RiskCheck GA</li> </ul> <p><strong>Messaging</strong></p> <ul> <li>Add tollfree edit_allowed and edit_reason fields</li> <li>Update Phone Number, Short Code, Alpha Sender, US A2P and Channel Sender documentation</li> </ul> <p><strong>Taskrouter</strong></p> <ul> <li>Add container attribute to task_queue_bulk_real_time_statistics endpoint</li> </ul> <p><strong>Trusthub</strong></p> <ul> <li>Rename did to tollfree_phone_number in compliance_tollfree_inquiry.json</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Upgrade guide</summary> <p><em>Sourced from <a href="https://github.com/twilio/twilio-node/blob/main/UPGRADE.md">twilio's upgrade guide</a>.</em></p> <blockquote> <h1>Upgrade Guide</h1> <p><em>All <code>MAJOR</code> version bumps will have upgrade notes posted here.</em></p> <h2>[2023-01-25] 3.x.x to 4.x.x</h2> <hr /> <ul> <li>Supported Node.js versions updated <ul> <li>Upgrade to Node.js >= 14</li> <li>Dropped support for Node.js < 14 (<a href="https://redirect.github.com/twilio/twilio-node/pull/791">#791</a>)</li> <li>Added support for Node.js 18 (<a href="https://redirect.github.com/twilio/twilio-node/pull/794">#794</a>)</li> </ul> </li> <li>Lazy loading enabled by default (<a href="https://redirect.github.com/twilio/twilio-node/pull/752">#752</a>) <ul> <li>Required Twilio modules now lazy load by default</li> <li>See the <a href="https://github.com/twilio/twilio-node/blob/main/README.md#lazy-loading">README</a> for how to disable lazy loading</li> </ul> </li> <li>Type changes from <code>object</code> to <code>Record</code> (<a href="https://redirect.github.com/twilio/twilio-node/pull/873">#873</a>) <ul> <li>Certain response properties now use the <code>Record</code> type with <code>string</code> keys</li> <li>Including the <code>subresourceUris</code> property for v2010 APIs and the <code>links</code> properties for non-v2010 APIs</li> </ul> </li> <li>Access Tokens <ul> <li>Creating an <a href="https://www.twilio.com/docs/iam/access-tokens">AccessToken</a> requires an <code>identity</code> in the options (<a href="https://redirect.github.com/twilio/twilio-node/pull/875">#875</a>)</li> <li><code>ConversationsGrant</code> has been deprecated in favor of <code>VoiceGrant</code> (<a href="https://redirect.github.com/twilio/twilio-node/pull/783">#783</a>)</li> <li><code>IpMessagingGrant</code> has been removed (<a href="https://redirect.github.com/twilio/twilio-node/pull/784">#784</a>)</li> </ul> </li> <li>TwiML function deprecations (<a href="https://redirect.github.com/twilio/twilio-node/pull/788">#788</a>) <ul> <li><a href="https://www.twilio.com/docs/voice/twiml/refer"><code><Refer></code></a> <ul> <li><code>Refer.referSip()</code> replaced by <code>Refer.sip()</code></li> </ul> </li> <li><a href="https://www.twilio.com/docs/voice/twiml/say/text-speech#generating-ssml-via-helper-libraries"><code><Say></code></a> <ul> <li> <p><code>Say.ssmlBreak()</code> and <code>Say.break_()</code> replaced by <code>Say.break()</code></p> </li> <li> <p><code>Say.ssmlEmphasis()</code> replaced by <code>Say.emphasis()</code></p> </li> <li> <p><code>Say.ssmlLang()</code> replaced by <code>Say.lang()</code></p> </li> <li> <p><code>Say.ssmlP()</code> replaced by <code>Say.p()</code></p> </li> <li> <p><code>Say.ssmlPhoneme()</code> replaced by <code>Say.phoneme()</code></p> </li> <li> <p><code>Say.ssmlProsody()</code> replaced by <code>Say.prosody()</code></p> </li> <li> <p><code>Say.ssmlS()</code> replaced by <code>Say.s()</code></p> </li> <li> <p><code>Say.ssmlSayAs()</code> replaced by <code>Say.sayAs()</code></p> </li> <li> <p><code>Say.ssmlSub()</code> replaced by <code>Say.sub()</code></p> </li> <li> <p><code>Say.ssmlW()</code> replaced by <code>Say.w()</code></p> <p>Old:</p> <pre lang="js"><code>const response = new VoiceResponse(); const say = response.say("Hello"); say.ssmlEmphasis("you"); </code></pre> <p>New:</p> <pre lang="js"><code>const response = new VoiceResponse(); const say = response.say("Hello"); </code></pre> </li> </ul> </li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/twilio/twilio-node/commit/aa7a28bf1279dfd6d4430e12b6b32c16f0485c87"><code>aa7a28b</code></a> Release 4.20.0</li> <li><a href="https://github.com/twilio/twilio-node/commit/a2f90eb47a8451198cd0ff79eb2ff3cfae3c4e3b"><code>a2f90eb</code></a> [Librarian] Regenerated @ 08c0904bec7ba6e5da9e5db6c4e0f74dfc97fb10</li> <li><a href="https://github.com/twilio/twilio-node/commit/2a51f837687f7be5a15ad8a28639312b86d321fd"><code>2a51f83</code></a> Release 4.19.3</li> <li><a href="https://github.com/twilio/twilio-node/commit/90208b3a7780e2685d472e95c4874f3830308e54"><code>90208b3</code></a> [Librarian] Regenerated @ 437c39e3f150e78058f5afb3ef0672e89fc59ec0</li> <li><a href="https://github.com/twilio/twilio-node/commit/00e852f8617666e54bc1473624e55d994029aac1"><code>00e852f</code></a> Release 4.19.2</li> <li><a href="https://github.com/twilio/twilio-node/commit/5a3916dc0bc799cb3ca5340f39f8ecadee507588"><code>5a3916d</code></a> [Librarian] Regenerated @ 24dcf52b3ba6769ea21d08329aa544a79742b6c2</li> <li><a href="https://github.com/twilio/twilio-node/commit/ce0804c5e1fb8f6d21026aba3858b3e1ac319521"><code>ce0804c</code></a> chore: Removing Test Related To Deprecated Endpoint - OAuth (<a href="https://redirect.github.com/twilio/twilio-node/issues/963">#963</a>)</li> <li><a href="https://github.com/twilio/twilio-node/commit/23eca5645571da1c293095eca511f4361ab1fb37"><code>23eca56</code></a> chore: twilio help changes (<a href="https://redirect.github.com/twilio/twilio-node/issues/958">#958</a>)</li> <li><a href="https://github.com/twilio/twilio-node/commit/a981eb0266674ecc165e9fa460e2b81c8c6daa1b"><code>a981eb0</code></a> chore: Update axios to 1.6 to pull in fix for CVE 2023 45857 (<a href="https://redirect.github.com/twilio/twilio-node/issues/971">#971</a>)</li> <li><a href="https://github.com/twilio/twilio-node/commit/e7bbeb18ddcec8b0874326266b6c73d4e2a073f3"><code>e7bbeb1</code></a> chore: Removed LTS version (<a href="https://redirect.github.com/twilio/twilio-node/issues/978">#978</a>)</li> <li>Additional commits viewable in <a href="https://github.com/twilio/twilio-node/compare/3.84.1...4.20.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/vercel/nft/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
9470e71
commit 7ba449e