jsonwebtoken@9.0.0 > semver@7.3.8 vulnerability

Question

jsonwebtoken@9.0.0 > semver@7.3.8 vulnerability

KsenyaJSN opened this issue 10 months ago · 1 comments

Vulnerable Dependency Information:

Package Name: jsonwebtoken
Vulnerable Version: 9.0.0
Dependency with ReDoS Vulnerability: semver@7.3.8
Vulnerability Severity: High

https://security.snyk.io/package/npm/semver

Fixed in jsonwebtoken v.9.0.2 (auth0/node-jsonwebtoken#921)

Answer 1 · 2023-09-27T07:08:34.000Z

Hi @mikenicholson
This is an important vulnerability. This library should be updated quickly. I should be very easy to upgrade since v9.0.2 is a patch version and you are already using 9.0.0 on master.

Thanks