-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Fix for 22 vulnerabilities #17
base: master
Are you sure you want to change the base?
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/npm:http-proxy-agent:20180406 - https://snyk.io/vuln/npm:https-proxy-agent:20180402 - https://snyk.io/vuln/SNYK-JS-IP-6240864 - https://snyk.io/vuln/npm:base64url:20180511 - https://snyk.io/vuln/SNYK-JS-LODASH-567746 - https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857 - https://snyk.io/vuln/SNYK-JS-NETMASK-1089716 - https://snyk.io/vuln/SNYK-JS-NETMASK-6056519 - https://snyk.io/vuln/SNYK-JS-LODASH-6139239 - https://snyk.io/vuln/SNYK-JS-QS-3153490 - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795 - https://snyk.io/vuln/SNYK-JS-LODASH-450202 - https://snyk.io/vuln/SNYK-JS-LODASH-608086 - https://snyk.io/vuln/SNYK-JS-LODASH-73638 - https://snyk.io/vuln/SNYK-JS-Y18N-1021887 - https://snyk.io/vuln/SNYK-JS-LODASH-1040724 - https://snyk.io/vuln/SNYK-JS-IP-7148531 - https://snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922 - https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131 - https://snyk.io/vuln/SNYK-JS-LODASH-1018905 - https://snyk.io/vuln/npm:extend:20180424 - https://snyk.io/vuln/SNYK-JS-LODASH-73639
jsonwebtoken@^8.1.0: | ||
version "8.2.0" | ||
resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.2.0.tgz#690ec3a9e7e95e2884347ce3e9eb9d389aa598b3" | ||
jsonwebtoken@^8.3.0, jsonwebtoken@^8.5.0, jsonwebtoken@^8.5.1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4710.
Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539
Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.@@ -4323,6 +4668,17 @@ jsonify@~0.0.0: | |||
version "0.0.0" | |||
resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73" | |||
|
|||
[email protected]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4671.
Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539
Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.jsonwebtoken@^8.1.0: | ||
version "8.2.0" | ||
resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-8.2.0.tgz#690ec3a9e7e95e2884347ce3e9eb9d389aa598b3" | ||
jsonwebtoken@^8.3.0, jsonwebtoken@^8.5.0, jsonwebtoken@^8.5.1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify()
implementation with the same key retrieval function.
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4710.
Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541
Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.@@ -4323,6 +4668,17 @@ jsonify@~0.0.0: | |||
version "0.0.0" | |||
resolved "https://registry.yarnpkg.com/jsonify/-/jsonify-0.0.0.tgz#2c74b6ee41d93ca51b7b5aaee8f503631d252a73" | |||
|
|||
[email protected]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify()
implementation with the same key retrieval function.
Fix: Upgrade this library to at least version 9.0.0 at auth0-account-link-extension/yarn.lock:4671.
Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541
Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.
Snyk has created this PR to fix 22 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.json
yarn.lock
Note for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/
directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarn
to update the contents of the./yarn/cache
directory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
npm:http-proxy-agent:20180406
npm:https-proxy-agent:20180402
SNYK-JS-IP-6240864
npm:base64url:20180511
SNYK-JS-LODASH-567746
SNYK-JS-PACRESOLVER-1564857
SNYK-JS-NETMASK-1089716
SNYK-JS-NETMASK-6056519
SNYK-JS-LODASH-6139239
SNYK-JS-QS-3153490
SNYK-JS-SEMVER-3247795
SNYK-JS-LODASH-450202
SNYK-JS-LODASH-608086
SNYK-JS-LODASH-73638
SNYK-JS-Y18N-1021887
SNYK-JS-LODASH-1040724
SNYK-JS-IP-7148531
SNYK-JS-JSONSCHEMA-1920922
SNYK-JS-HTTPSPROXYAGENT-469131
SNYK-JS-LODASH-1018905
npm:extend:20180424
SNYK-JS-LODASH-73639
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)
🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn