Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump jose to v5 #403

Open
4 tasks done
karlismelderis-mckinsey opened this issue Mar 8, 2024 · 5 comments
Open
4 tasks done

Bump jose to v5 #403

karlismelderis-mckinsey opened this issue Mar 8, 2024 · 5 comments

Comments

@karlismelderis-mckinsey
Copy link

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I believe jose v4 is no longer supported

Describe the ideal solution

bump dependency to v5

Alternatives and current workarounds

No response

Additional context

No response

@ssipos90
Copy link

ssipos90 commented Mar 8, 2024

agreed, seeing as JOSE 4.15 is now flagged by audit:

$ npm audit
# npm audit report

jose  3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix`
node_modules/jwks-rsa/node_modules/jose

@panva
Copy link
Contributor

panva commented Mar 12, 2024

I believe jose v4 is no longer supported

It clearly is https://github.com/panva/jose#supported-versions

agreed, seeing as JOSE 4.15 is now flagged by audit:

4.15.5 and 2.0.7 was released as per the Supported Versions matrix to fix the vulnerability in those release lines.

jose to v5

not necessary, all you need to do is to run whatever equivalent of npm upgrade in your package manager is, 4.15.5 will be installed and there's no longer an issue.

@blindperson
Copy link
Contributor

Hi team, do we have any plan to ship in this pr?
#405

@javierjulio
Copy link

Looks like #405 was closed in favor of #402. It would help to have a new release including that security fix.

@novotnyJiri
Copy link

Hi guys, any update on this? We would like to upgrade jose to v5 in our codebase since bug fixes and new features are no longer supported in v4. Is there any plan on upgrading jose in node-jwks-rsa to v5?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants