v18.2.14
Update dependency jsonwebtoken to v9 [SECURITY]
Notable changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030
]auth0/node-jsonwebtoken@8345030) - RSA key size must be 2048 bits or greater. ([
ecdf6cc
]auth0/node-jsonwebtoken@ecdf6cc) - Key types must be valid for the signing / verification algorithm
- security: fixes
Arbitrary File Write via verify function
- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage
- CVE-2022-23539
auth0/node-jsonwebtoken (jsonwebtoken)
v9.0.0
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([
8345030
]auth0/node-jsonwebtoken@8345030) - RSA key size must be 2048 bits or greater. ([
ecdf6cc
]auth0/node-jsonwebtoken@ecdf6cc) - Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function
- CVE-2022-23529 - security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
- CVE-2022-23540 - security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- CVE-2022-23541 - security: fixes
Unrestricted key type could lead to legacy keys usage
- CVE-2022-23539
List of commits
f05e499 (Update dependency jsonwebtoken to v9 [SECURITY], 2024-07-02)