dependabot npm(deps): bump jsonwebtoken from 8.5.1 to 9.0.0
Bumps jsonwebtoken from 8.5.1 to 9.0.0.
Changelog
Sourced from jsonwebtoken's changelog.
9.0.0 - 2022-12-21
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
- RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
- Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function
- CVE-2022-23529- security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
- CVE-2022-23540- security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- CVE-2022-23541- security: fixes
Unrestricted key type could lead to legacy keys usage
- CVE-2022-23539
Commits
-
e1fa9dc
Merge pull request from GHSA-8cf7-32gw-wr33 -
5eaedbf
chore(ci): remove github test actions job (#861) -
cd4163e
chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856) -
ecdf6cc
fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr... -
8345030
fix(sign&verify)!: Remove defaultnone
support fromsign
andverify
met... -
7e6a86b
Upload OpsLevel YAML (#849) -
74d5719
docs: update references vercel/ms references (#770) -
d71e383
docs: document "invalid token" error -
3765003
docs: fix spelling in README.md: Peak -> Peek (#754) -
a46097e
docs: make decode impossible to discover before verify - Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.