Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit failures due to jsonwebtoken #2578

Closed
diracdeltas opened this issue Dec 22, 2022 · 6 comments
Closed

npm audit failures due to jsonwebtoken #2578

diracdeltas opened this issue Dec 22, 2022 · 6 comments

Comments

@diracdeltas
Copy link

Is this a feature request or a bug?

bug

What is the current behavior?

npm audit in a package that depends on "web-ext": "7.4.0" fails due to vulnerable dependencies:

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken
  sign-addon  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/sign-addon
    web-ext  >=1.0.0
    Depends on vulnerable versions of sign-addon
    node_modules/web-ext

3 vulnerabilities (2 moderate, 1 high)
diracdeltas added a commit to brave/web-discovery-project that referenced this issue Dec 22, 2022
@diracdeltas
Override jsonwebtoken to be 9.0.0
54c4124 
Until mozilla/web-ext#2578 is fixed, this is
needed for
brave/brave-browser#27509
brave/brave-browser#27510
brave/brave-browser#27511
brave/brave-browser#27512
@diracdeltas diracdeltas mentioned this issue Dec 22, 2022
Merged
remusao pushed a commit to brave/web-discovery-project that referenced this issue Dec 22, 2022
@diracdeltas
Override jsonwebtoken to be 9.0.0 (#256)
93fdbbd 
Until mozilla/web-ext#2578 is fixed, this is
needed for
brave/brave-browser#27509
brave/brave-browser#27510
brave/brave-browser#27511
brave/brave-browser#27512
@equal-l2
Copy link
Contributor

This is solved on the master of sign-addon (mozilla/sign-addon#1175).
We need a new release of sign-addon to introduce the fix, though.

@diracdeltas
Copy link
Author

@equal-l2 thanks. Looks like now there is another one to fix too: GHSA-8gh8-hqwg-xf34

due to dependency on addons-linter which depends on ajv-merge-patch which depends on fast-json-patch

diracdeltas added a commit to brave/web-discovery-project that referenced this issue Dec 30, 2022
@diracdeltas
Override fast-json-patch
ccea954 
Needed until
mozilla/web-ext#2578 (comment)
is resolved for brave/brave-browser#27589
@diracdeltas diracdeltas mentioned this issue Dec 30, 2022
Merged
remusao pushed a commit to brave/web-discovery-project that referenced this issue Dec 30, 2022
@diracdeltas
Override fast-json-patch (#258)
0dd9da0 
Needed until
mozilla/web-ext#2578 (comment)
is resolved for brave/brave-browser#27589
@willdurand
Copy link
Member

I am taking a look now.

@willdurand
Copy link
Member

New failures caused by two JSON libs:

json5 (https://github.com/advisories/GHSA-9c47-m6qq-7p4h):
  2.2.1, paths: @babel/core>json5, babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5
  1.0.1, paths: eslint-plugin-import>tsconfig-paths>json5
fast-json-patch (https://github.com/advisories/GHSA-8gh8-hqwg-xf34):
  2.2.1, paths: addons-linter>ajv-merge-patch>fast-json-patch

@willdurand
Copy link
Member

willdurand commented Jan 2, 2023
edited
Loading

I filed ajv-validator/ajv-merge-patch#54 for:

fast-json-patch (GHSA-8gh8-hqwg-xf34):
2.2.1, paths: addons-linter>ajv-merge-patch>fast-json-patch

@willdurand willdurand mentioned this issue Jan 5, 2023
Closed
@willdurand
Copy link
Member

let's close this issue, I filed a new one for the last npm audit failure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@willdurand @diracdeltas @equal-l2