drop in replace base64url due to a vulnerability

[panva]

Hi @linuxwolf,

the base64url package has a found vulnerability currently reported by snyk and other tools. The report history shows attempts to contact the maintainer for a fix with no success since march 2017.

b64u is a drop-in replacement with the vulnerability fixed. It'd be great if you could fast-forward a patch release with this fix.

Also, there was a forgotten .only in the test suite.

[MeirionHughes]

maybe better to use base64-url as it has an engine requirement of 6+, which natively complains about new buffer(1000, encoding). b64u still supported node 4+ and has less downloads/stars.

[panva]

b64u is not using new Buffer, so it's all good and has toBuffer which node-jose needs. Also support for lts/4 is needed

[MeirionHughes]

ah yes, I see; so many tabs open I must have been looking at something else. :D

[panva]

Is there something in the build that makes it fail in lts/8?

[linuxwolf]

Thanks @panva . Looking at the error log from Travis-CI, it appears that toBuffer isn't coming back as a function in the browser (Firefox release). Will have to do some investigation into why ...

[linuxwolf]

Taking a quick look, it looks like webpack is importing it as an es6 module, with a default instead of the rest of the methods. The quick hack fix is:

var impl = require("b64u");
if (impl.default) {
    impl = impl.default;
}

Will have to determine what the better fix is long term, though.

[panva]

That really looks weird. Isn’t there a webpack option for this?

[linuxwolf]

@panva So far I can't find it.

It might involve having to add babel ... which is too much to include in this PR.

[linuxwolf]

@panva Thanks very much!

I've added an issue (#180) to track getting rid of this default hack.

[panva]

Great thank you @linuxwolf, any chance for a patch release on the 0.11.x track? It would immidiately fix the dependent packages without requiring a 0.12 (to be released) update. (Semver below 1.0.0 doesnt pickup minor patches)

[linuxwolf]

@panva Working that out today. It might be bending the semver promise, but not by much.

[panva]

Applying this PR on top of the latest tag only would be great. No breaking then.

[linuxwolf]

That's exactly what I'm doing now; I wasn't sure how far master had progressed from 0.11.0, but it's enough that a patch is safer.

Will push to npm today, but might still be a couple of hours from now.

[panva]

[email protected] got released 🤦‍♂️

[linuxwolf]

(I wonder if @vladikoff had anything to do with this ... 😛 )

Glad they updated; is it worth going back at some point in the future?

[panva]

With the next patch I will, just so that my software uses more used/watched dependencies and with that ends up with cleaner dependency trees. For node-jose, your call.

[vladikoff]

@linuxwolf I also had the same problem as mentioned in #179 (comment)

I'm leaning towards using [email protected] but up to you