Merge branch 'master' into master

auth0 · Sep 14, 2023 · 99b305f · 99b305f
2 parents adf3a62 + bc28861
commit 99b305f
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,15 @@
 All notable changes to this project will be documented in this file starting from version **v4.0.0**.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## 9.0.2 - 2023-08-30
+
+- security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes [#921](https://github.com/auth0/node-jsonwebtoken/issues/921).
+- refactor: reduce library size by using lodash specific dependencies, closes [#878](https://github.com/auth0/node-jsonwebtoken/issues/878).
+
+## 9.0.1 - 2023-07-05
+
+- fix(stubs): allow decode method to be stubbed
+
 ## 9.0.0 - 2022-12-21
 
   **Breaking changes: See [Migration from v8 to v9](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9)**

diff --git a/index.js b/index.js
@@ -3,4 +3,4 @@ module.exports.verify = require('./verify');
 module.exports.sign = require('./sign');
 module.exports.JsonWebTokenError = require('./lib/JsonWebTokenError');
 module.exports.NotBeforeError = require('./lib/NotBeforeError');
-module.exports.TokenExpiredError = require('./lib/TokenExpiredError');
+module.exports.TokenExpiredError = require('./lib/TokenExpiredError');
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jsonwebtoken",
-  "version": "9.0.0",
+  "version": "9.0.2",
   "description": "JSON Web Token implementation (symmetric and asymmetric)",
   "main": "index.js",
   "exports": "./index.js",
@@ -38,9 +38,15 @@
   },
   "dependencies": {
     "jws": "^3.2.2",
-    "lodash": "^4.17.21",
+    "lodash.includes": "^4.3.0",
+    "lodash.isboolean": "^3.0.3",
+    "lodash.isinteger": "^4.0.4",
+    "lodash.isnumber": "^3.0.3",
+    "lodash.isplainobject": "^4.0.6",
+    "lodash.isstring": "^4.0.1",
+    "lodash.once": "^4.0.0",
     "ms": "^2.1.1",
-    "semver": "^7.3.8"
+    "semver": "^7.5.4"
   },
   "devDependencies": {
     "atob": "^2.1.2",

diff --git a/sign.js b/sign.js
@@ -2,7 +2,13 @@ const timespan = require('./lib/timespan');
 const PS_SUPPORTED = require('./lib/psSupported');
 const validateAsymmetricKey = require('./lib/validateAsymmetricKey');
 const jws = require('jws');
-const {includes, isBoolean, isInteger, isNumber, isPlainObject, isString, once} = require('lodash')
+const includes = require('lodash.includes');
+const isBoolean = require('lodash.isboolean');
+const isInteger = require('lodash.isinteger');
+const isNumber = require('lodash.isnumber');
+const isPlainObject = require('lodash.isplainobject');
+const isString = require('lodash.isstring');
+const once = require('lodash.once');
 const { KeyObject, createSecretKey, createPrivateKey } = require('crypto')
 
 const SUPPORTED_ALGS = ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none'];