Update dependency jsonwebtoken to v9 #199

mend-for-github-com · 2023-03-26T19:41:03Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsonwebtoken	`0.4.0` -> `9.0.2`
@types/jsonwebtoken (source)	`^8.5.0` -> `^9.0.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

`v9.0.2`

Compare Source

security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
refactor: reduce library size by using lodash specific dependencies, closes #878.

`v9.0.1`

Compare Source

fix(stubs): allow decode method to be stubbed

`v9.0.0`

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

Removed support for Node versions 11 and below.
The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
Key types must be valid for the signing / verification algorithm

Security fixes

security: fixes Arbitrary File Write via verify function - CVE-2022-23529
security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

`v8.5.1`

Compare Source

Bug fix

fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

`v8.5.0`

Compare Source

New Functionality

feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

`v8.4.0`

Compare Source

New Functionality

Add verify option for nonce validation (#540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #540

Bug Fixes

Updating Node version in Engines spec in package.json (#528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #528 #509
Fixed error message when empty string passed as expiresIn or notBefore option (#531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #531

Docs

Update README.md (#527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #527
Update README.md (#538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #538
Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #548
Document NotBeforeError (#529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #529

Test Improvements

Use lolex for faking date in tests (#491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #491
Update dependencies used for running tests (#518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #518
Minor test refactoring for recently added tests (#504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #504
Create and implement async/sync test helpers (#523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #523
Refactor tests related to audience and aud (#503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #503
Refactor tests related to expiresIn and exp (#501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #501
Refactor tests related to iat and maxAge (#507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #507
Refactor tests related to iss and issuer (#543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #543
Refactor tests related to kid and keyid (#545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #545
Refactor tests related to notBefore and nbf (#497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #497
Refactor tests related to subject and sub (#505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #505
Implement async/sync tests for exp claim (#536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #536
Implement async/sync tests for nbf claim (#537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #537
Implement async/sync tests for sub claim (#534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #534
Implement async/sync tests for the aud claim (#535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #535

CI

Added Istanbul to check test-coverage (#468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #468
Complete ESLint conversion and cleanup (#490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #490
Make code-coverage mandatory when running tests (#495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #495

`v8.3.0`

Compare Source

docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
new feature: Secret callback revisited (#480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #480
docs:Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

`v8.2.2`

Compare Source

security: deps: jws@3.1.5 (#477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #465
docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
docs: Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

`v8.2.1`

Compare Source

bug fix: Check payload is not null when decoded. (#444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
docs: Clarify that buffer/string payloads must be JSON (#442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)

`v8.2.0`

Compare Source

Add a new mutatePayload option (#446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)

`v8.1.1`

Compare Source

ci: add newer node versions to build matrix (#428) (83f3eee44e122da06f812d7da4ace1fa26c24d9d)
deps: Bump ms version to add support for negative numbers (#438) (25e0e624545eaef76f3c324a134bf103bc394724)
docs: Minor typo (#424) (dddcb73ac05de11b81feeb629f6cf78dd03d2047)
bug fix: Not Before (nbf) calculated based on iat/timestamp (#437) (2764a64908d97c043d62eba0bf6c600674f9a6d6), closes #435

`v8.1.0`

Compare Source

#402: Don't fail if captureStackTrace is not a function (#410) (77ee965d9081faaf21650f266399f203f69533c5)
#403: Clarify error wording for "Expected object" error. (#409) (bb27eb346f0ff675a320b2de16b391a7cfeadc58)
Enhance audience check to verify against regular expressions (#398) (81501a17da230af7b74a3f7535ab5cd3a19c8315)

`v8.0.1`

Compare Source

Remove lodash.isarray dependency (#394) (7508e8957cb1c778f72fa9a363a7b135b3c9c36d)

`v8.0.0`

Compare Source

Breaking changes: See Migration notes from v7

docs: readme, migration notes (12cd8f7f47224f904f6b8f39d1dee73775de4f6f)
verify: remove process.nextTick (#302) (3305cf04e3f674b9fb7e27c9b14ddd159650ff82)
Reduce size of NPM package (#347) (0be5409ac6592eeaae373dce91ec992fa101bd8a)
Remove joi to shrink module size (#348) (2e7e68dbd59e845cdd940afae0a296f48438445f)
maxAge: Add validation to timespan result (66a4f8b996c8357727ce62a84605a005b2f5eb18)

`v7.4.3`

Compare Source

Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style) (PR 386)

`v7.4.2`

Compare Source

bugfix: sign: add check to be sure secret has a value (c584d1cbc34b788977b36f17cd57ab2212f1230e)
docs: about refreshing tokens (016fc10b847bfbb76b82171cb530f32d7da2001b)
docs: verifying with base64 encoded secrets (c25e9906801f89605080cc71b3ee23a5e45a5811)
tests: Add tests for ES256 (89900ea00735f76b04f437c9f542285b420fa9cb)
docs: document keyid as option (#361) (00086c2c006d7fc1a47bae02fa87d194d79aa558)
docs: readme: Using private key with passpharase (#353) (27a7f1d4f35b662426ff0270526d48658da4c8b7)

`v7.4.1`

Compare Source

bump ms to v2 due a ReDoS vulnerability (#352) (adcfd6ae4088c838769d169f8cd9154265aa13e0)

`v7.4.0`

Compare Source

Add docs about numeric date fields (659f73119900a4d837650d9b3f5af4e64a2f843b)
Make Options object optional for callback-ish sign (e202c4fd00c35a24e9ab606eab89186ade13d0cc)

`v7.3.0`

Compare Source

Add more information to maxAge option in README (1b0592e99cc8def293eed177e2575fa7f1cf7aa5)
Add clockTimestamp option to verify() you can set the current time in seconds with it (#274) (8fdc1504f4325e7003894ffea078da9cba5208d9)
Fix handling non string tokens on verify() input (#305) (1b6ec8d466504f58c5a6e2dae3360c828bad92fb), closes #305
Fixed a simple typo in docs (#287) (a54240384e24e18c00e75884295306db311d0cb7), closes #287
Raise jws.decode error to avoid confusion with "invalid token" error (#294) (7f68fe06c88d5c5653785bd66bc68c5b20e1bd8e)
rauchg/ms.js changed to zeit/ms (#303) (35d84152a6b716d757cb5b1dd3c79fe3a1bc0628)

`v7.2.1`

Compare Source

add nsp check to find vulnerabilities on npm test (4219c34b5346811c07f520f10516cc495bcc70dd)
revert to joi@^6 to keep ES5 compatibility (51d4796c07344bf817687f7ccfeef78f00bf5b4f)

Revert "Merge branch 'venatir-master'" (d06359ef3b4e619680e043ee7c16adda16598f52)

`v7.1.8`

Compare Source

Fixed tests, however typ: 'JWT' should not be in the options at all, so please review other tests (01903bcdc61b4ed429acbbd1fe0ffe0db364473b)
Removing unnecessary extra decoding. jwtString is already verified as valid and signature checked (55d5834f7b637011e1d8b927ff78a92a5fd521cf)
update changelog (5117aacd0118a10331889a64e61d8186112d8a23)

`v7.1.7`

Compare Source

Use lodash.once instead of unlicensed/unmaintained cb (3ac95ad93ef3068a64e03d8d14deff231b1ed529)

`v7.1.6`

Compare Source

fix issue with buffer payload. closes #216 (6b50ff324b4dfd2cb0e49b666f14a6672d015b22), closes #216

`v7.1.5`

Compare Source

update jws in package.json (b6260951eefc68aae5f4ede359210761f901ff7a)

`v7.1.3`

Compare Source

`v7.1.1`

Compare Source

Bump node-jws version number (07813dd7194630c9f452684279178af76464a759)
improve the documentation for expiration (771e0b5f9bed90771fb79140eb38e51a3ecac8f0)

`v7.1.0`

Compare Source

Exp calculated based on iat. fix #217 (757a16e0e35ad19f9e456820f55d5d9f3fc76aee), closes #217

`v7.0.1`

Compare Source

`v7.0.0`

Compare Source

change jwt.sign to return errors on callback instead of throwing errors (1e46c5a42aa3dab8478efa4081d8f8f5c5485d56)

`v6.2.0`

Compare Source

add support for options.clockTolerance to jwt.verify (65ddea934f226bf06bc9d6a55be9587515cfc38d)

`v6.1.2`

Compare Source

fix sign method for node.js 0.12. closes #193 (9c38374142d3929be3c9314b5e9bc5d963c5955f), closes #193
improve async test (7b0981380ddc40a5f1208df520631785b5ffb85a)

`v6.1.1`

Compare Source

`v6.1.0`

Compare Source

verify unsigned tokens (ec880791c10ed5ef7c8df7bf28ebb95c810479ed)

`v6.0.1`

Compare Source

This was an immediate change after publishing 6.0.0.

throw error on invalid options when the payload is not an object (304f1b33075f79ed66f784e27dc4f5307aa39e27)

`v6.0.0`

Compare Source

Change .sign to standard async callback (50873c7d45d2733244d5da8afef3d1872e657a60)
Improved the options for the sign method (53c3987b3cc34e95eb396b26fc9b051276e2f6f9)
- throw error on invalid options like expiresIn when the payload is not an object (304f1b33075f79ed66f784e27dc4f5307aa39e27)
- expiresInMinutes and expiresInSeconds are deprecated and no longer supported.
- notBeforeInMinutes and notBeforeInSeconds are deprecated and no longer supported.
- options are strongly validated.
- options.expiresIn, options.notBefore, options.audience, options.issuer, options.subject and options.jwtid are mutually exclusive with payload.exp, payload.nbf, payload.aud, payload.iss
- options.algorithm is properly validated.
- options.headers is renamed to options.header.
update CHANGELOG to reflect most of the changes. closes #136 (b87a1a8d2e2533fbfab518765a54f00077918eb7), closes #136
update readme (53a88ecf4494e30e1d62a1cf3cc354650349f486)

`v5.7.0`

Compare Source

add support for validating multiples issuers. closes #163 (39d9309ae05648dbd72e5fd1993df064ad0e8fa5), closes #163

`v5.6.2`

Compare Source

`v5.6.0`

Compare Source

added missing validations of sub and jti (a1affe960d0fc52e9042bcbdedb65734f8855580)
Fix tests in jwt.rs.tests.js which causes 4 to fail (8aedf2b1f575b0d9575c1fc9f2ac7bc868f75ff1)
Update README.md (349b7cd00229789b138928ca060d3ef015aedaf9)

`v5.5.4`

Compare Source

minor (46552e7c45025c76e3f647680d7539a66bfac612)

`v5.5.3`

Compare Source

add a console.warn on invalid options for string payloads (71200f14deba0533d3261266348338fac2d14661)
minor (65b1f580382dc58dd3da6f47a52713776fd7cdf2)

`v5.5.2`

Compare Source

fix signing method with sealed objects, do not modify the params object. closes #147 (be9c09af83b09c9e72da8b2c6166fa51d92aeab6), closes #147

`v5.5.1`

Compare Source

fix nbf verification. fix #152 (786d37b299c67771b5e71a2ca476666ab0f97d98), closes #152

`v5.5.0`

Compare Source

improvements to nbf and jti claims (46372e928f6d2e7398f9b88022ca617d2a3b0699)
Remove duplicate payload line (fix bug in IE strict mode) (8163d698e0c5ad8c44817a5dcd42a15d7e9c6bc8)
Remove duplicate require('ms') line (7c00bcbcbf8f7503a1070b394a165eccd41de66f)
Update README to reflect addition of async sign (d661d4b6f68eb417834c99b36769444723041ccf)

`v5.4.1`

Compare Source

`v5.4.0`

Compare Source

deprecate expireInMinutes and expireInSeconds - in favor of expiresIn (39ecc6f8f310f8462e082f1d53de0b4222b29b6f)

`v5.3.1`

Compare Source

`v5.2.0`

Compare Source

`v5.1.0`

Compare Source

added async signing (9414fbcb15a1f9cf4fe147d070e9424c547dabba)
Update README.md (40b2aaaa843442dfb8ee7b574f0a788177e7c904)

`v5.0.5`

Compare Source

add ms dep to package.json (f13b3fb7f29dff787e7c91ebe2eb5adeeb05f251)
add note to explain, related to #96 #101 #6 (dd8969e0e6ed0bcb9cae905d2b1a96476bd85da3)
add tests for options.headers (7787dd74e705787c39a871ca29c75a2e0a3948ac)
add tests for verify expires (d7c5793d98c300603440ab460c11665f661ad3a0)
add verify option maxAge (with tests) (49d54e54f7e70b1c53a2e4ee67e116c907d75319)
fix spelling error in error message (8078b11b224fa05ac9003ca5aa2c85e9f0128cfb)
Fix typo options.header is not a documented option + (5feaa5b962ccbddeff054817a410f7b0c1e6ce7f)
update JWT spec link. closes #112 (f5fa50f797456a12240589161835c7ea30807195), closes #112

`v5.0.4`

Compare Source

`v5.0.3`

Compare Source

Added nbf support (f26ba4e2fa197a20497632b63ffcd13ae93aacc4)
Added support for subject and jwt id (ab76ec5bc554e2d1e25376ddb7cea711d86af651)
Fix this referring to the global object instead of module.exports in verify() (93f554312e37129027fcf4916f48cb8d1b53588c)
Fix typo, line 139 README, complete option for .decode. (59c110aeb8c7c1847ef2ffd77702d13627c89e10)
minor (61ff1172272b582902313e958058ff22413494af)

`v5.0.2`

Compare Source

fix typo in docs . closes #86 (3d3413221f36acef4dfd1cbed87f1f3565cd6f84), closes #86

`v5.0.1`

Compare Source

Add option to return header and payload when decoding. (7254e011b59f892d1947e6c11819281adac7069d)
Avoid uncaught "SyntaxError: Unexpected token ͧ" error. (0dc59cd6ee15d83a606acffa7909ee76176ae186)
Document complete option in README. (ec32b20241a74d9681ea26e1a7024b4642468c00)
Fix example in README, silence verbose logging. (ba3174d10033c41e9c211a38f1cc67f74fbd7f69)
Fix link to auth0.com in README (1b3c5ff72c9bc25e9271646e679f3080f2a042a0)
Immediate return if not decoded. (851bda2b10168f3269c3da6e74d310742f31a193)
Prevent throw on undefined/null secret (0fdf78d4dbf609455f3277d6169a987aef0384d4)
Removed path from test (d6240e24186732d368bffe21143becf44c38f0d6)
Simplified checking for missing key (f1cffd033bffc44f20558eda4a797c3fa2f4ee05)
Typo (ffe68dbe0219bab535c1018448eb4c0b22f1f902)
Update CHANGELOG.md (927cce0dad1bc9aad75aeef53e276cf4cfc0d776)
Update CHANGELOG.md (6879e0fdde222995c70a3a69a4af94993d9c667e)
Update CHANGELOG.md (c5596c10e8705727fa13e0394184a606083078bc)
Update CHANGELOG.md (07541f0315f26d179e1cde92732b6124d6869b6f)
Update CHANGELOG.md (e6465d48ddd1dc2c3297229b28c78fd5490a2ba9)

`v5.0.0`

Compare Source

Changed

[sign] Only set defautl iat if the user does not specify that argument.

auth0/node-jsonwebtoken@e900282
auth0/node-jsonwebtoken@35036b1
auth0/node-jsonwebtoken@954bd7a
auth0/node-jsonwebtoken@24a3700
auth0/node-jsonwebtoken@a77df6d

Security

[verify] Update to jws@^3.0.0 and renaming header.alg mismatch exception to invalid algorithm and adding more mismatch tests.

As jws@3.0.0 changed the verify method signature to be jws.verify(signature, algorithm, secretOrKey), the token header must be decoded first in order to make sure that the alg field matches one of the allowed options.algorithms. After that, the now validated header.alg is passed to jws.verify

As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the jws one:

{ [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' }

That old error (removed from jws) has been replaced by a JsonWebTokenError with message invalid token.

Important: versions >= 4.2.2 this library are safe to use but we decided to deprecate everything < 5.0.0 to prevent security warnings from library node-jws when doing npm install.

auth0/node-jsonwebtoken@634b8ed
auth0/node-jsonwebtoken@9f24ffd
auth0/node-jsonwebtoken@19e6cc6
auth0/node-jsonwebtoken@1e46234
auth0/node-jsonwebtoken@954bd7a
auth0/node-jsonwebtoken@24a3700
auth0/node-jsonwebtoken@a77df6d

`v4.2.2`

Compare Source

Fixed

[asymmetric-keys] Fix verify for RSAPublicKey formated keys (jfromaniello - awlayton)
auth0/node-jsonwebtoken@4027946
auth0/node-jsonwebtoken@8df6aab

`v4.2.1`

Compare Source

Fixed

[asymmetric-keys] Fixed issue when public key starts with BEING PUBLIC KEY https://github.com/auth0/node-jsonwebtoken/issues/700) (jfromaniello)
auth0/node-jsonwebtoken@7017e74

`v4.2.0`

Compare Source

Security

[asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key.
When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family).

The issue was caused because the same signature was used to verify both type of tokens (verify method parameter: secretOrPublicKey).

This change adds a new parameter to the verify called algorithms. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string BEGIN CERTIFICATE the default is [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] otherwise is [ 'HS256','HS384','HS512' ]. (jfromaniello)
auth0/node-jsonwebtoken@c2bf7b2
auth0/node-jsonwebtoken@1bb584b