fireblocks/fireblocks-sdk-js

[Bug] jsonwebtoken <=8.5.1

Closed this issue · 1 comments

buildpeak commented

npm audit fix error
jsonwebtoken <=8.5.1
Severity: high

To Reproduce
Steps to reproduce the behavior:

  1. Run npm install fireblocks-sdk
  2. Run npm audit fix
  3. See below error:
# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
No fix available
node_modules/jsonwebtoken
  fireblocks-sdk  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/fireblocks-sdk

Version:

  • fireblocks-sdk version: 2.5.3
  • npm version: 8.19.2
  • node version: v16.14.2
yarinvak commented

Fixed in #132
Thanks for reporting