Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: updating semver to 7.5.4 to resolve CVE-2022-25883 #932

Merged
merged 1 commit into from Aug 30, 2023
Merged

security: updating semver to 7.5.4 to resolve CVE-2022-25883 #932

merged 1 commit into from Aug 30, 2023

Conversation

jakelacey2012
Copy link
Contributor

@jakelacey2012 jakelacey2012 commented Aug 25, 2023
edited

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR updates semver to a minimum version of 7.5.4 to resolve CVE-2022-25883.

References

Testing

  • npm test is passing.
  • ✅ This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@jakelacey2012 jakelacey2012 changed the title Updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.2 to resolve CVE-2022-25883 Aug 25, 2023
@SEKERM SEKERM mentioned this pull request Aug 28, 2023
Closed
4 tasks
SEKERM
SEKERM reviewed Aug 28, 2023
View reviewed changes
Copy link

@SEKERM SEKERM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please go to 7.5.4.

@mkrudele
Copy link

When will this PR be merged and a new version of the module published?

cpettet
cpettet reviewed Aug 28, 2023
View reviewed changes
package.json Outdated
@@ -39,7 +39,7 @@
"jws": "^3.2.2",
"lodash": "^4.17.21",
"ms": "^2.1.1",
"semver": "^7.3.8"
"semver": "^7.5.2"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"semver": "^7.5.2"
"semver": "^7.5.4"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a few bugfixes from 7.5.3 and 7.5.4.

@jakelacey2012 jakelacey2012 changed the title security: updating semver to 7.5.2 to resolve CVE-2022-25883 security: updating semver to 7.5.4 to resolve CVE-2022-25883 Aug 29, 2023
@jakelacey2012
Copy link
Contributor Author

@SEKERM @cpettet thanks for the feedback, I've updated to 7.5.4.

SEKERM
SEKERM approved these changes Aug 29, 2023
View reviewed changes
Copy link

@SEKERM SEKERM left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. @david-renaud-okta can you give approval with write access:

Review required
At least 1 approving review is required by reviewers with write access.

@SEKERM
Copy link

SEKERM commented Aug 30, 2023
edited

@jakelacey2012 when will you merge into master? Thank you.

@jakelacey2012 jakelacey2012 merged commit ed35062 into auth0:master Aug 30, 2023
7 checks passed
This was referenced Aug 30, 2023
Merged
Closed
@Uzlopak
Copy link

Uzlopak commented Nov 20, 2023

You could have just removed semver

https://github.com/auth0/node-jsonwebtoken/pull/880/files

D'oh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpettet cpettet cpettet left review comments

@CharlesRea CharlesRea CharlesRea approved these changes

@SEKERM SEKERM SEKERM approved these changes

@david-renaud-okta david-renaud-okta david-renaud-okta left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@jakelacey2012 @mkrudele @SEKERM @Uzlopak @CharlesRea @cpettet @david-renaud-okta