(Uploader) npm reports high severity vulnerability with @adobe/jwt-auth

Question

(Uploader) npm reports high severity vulnerability with @adobe/jwt-auth

Closed this issue 2 years ago · 4 comments

yuhui commented 2 years ago

Expected Behaviour

When installing, npm should not report any high severity vulnerabilities.

Actual Behaviour

When installing, npm reports a high severity vulnerability:

Steps to Reproduce

Environment: node v19.3.0, npm v9.2.0

Run npm i @adobe/reactor-uploader.

Platform and Version

All

Logs taken while reproducing problem

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
No fix available
node_modules/jsonwebtoken
  @adobe/jwt-auth  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@adobe/jwt-auth
    @adobe/reactor-uploader  >=2.0.0
    Depends on vulnerable versions of @adobe/jwt-auth
    node_modules/@adobe/reactor-uploader

4 high severity vulnerabilities

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

brenthosie commented 2 years ago

#60

Answer 1 · 2023-03-09T15:14:27.000Z

This vulnerability is caused by adobe/jwt-auth#60

Answer 2 · 2023-03-13T19:56:03.000Z

@adobe export issue to Jira project PDCL as Story

Answer 3 · 2023-03-13T19:56:09.000Z

✅ Jira issue PDCL-10140 is successfully created for this GitHub issue.