Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: updating semver to 7.5.4 to resolve CVE-2022-25883 #932

Merged
merged 1 commit into from
Aug 30, 2023

Conversation

jakelacey2012
Copy link
Contributor

@jakelacey2012 jakelacey2012 commented Aug 25, 2023

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR updates semver to a minimum version of 7.5.4 to resolve CVE-2022-25883.

References

Testing

  • npm test is passing.
  • ✅ This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@jakelacey2012 jakelacey2012 changed the title Updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.2 to resolve CVE-2022-25883 Aug 25, 2023
Copy link

@SEKERM SEKERM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please go to 7.5.4.

@mkrudele
Copy link

When will this PR be merged and a new version of the module published?

package.json Outdated
@@ -39,7 +39,7 @@
"jws": "^3.2.2",
"lodash": "^4.17.21",
"ms": "^2.1.1",
"semver": "^7.3.8"
"semver": "^7.5.2"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"semver": "^7.5.2"
"semver": "^7.5.4"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a few bugfixes from 7.5.3 and 7.5.4.

@jakelacey2012 jakelacey2012 changed the title security: updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.4 to resolve CVE-2022-25883 Aug 29, 2023
@jakelacey2012
Copy link
Contributor Author

@SEKERM @cpettet thanks for the feedback, I've updated to 7.5.4.

Copy link

@SEKERM SEKERM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @david-renaud-okta can you give approval with write access:

Review required
At least 1 approving review is required by reviewers with write access.

@SEKERM
Copy link

SEKERM commented Aug 30, 2023

@jakelacey2012 when will you merge into master? Thank you.

@jakelacey2012 jakelacey2012 merged commit ed35062 into auth0:master Aug 30, 2023
1 check passed
@Uzlopak
Copy link

Uzlopak commented Nov 20, 2023

You could have just removed semver

https://github.com/auth0/node-jsonwebtoken/pull/880/files

D'oh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants