Update dependency jsonwebtoken to v9 (!38) · Merge requests · IT Common Platform / platform-support / apps / dashboard · GitLab

This is an archived project. Repository and other project resources are read-only.

Ghost User requested to merge renovate-jsonwebtoken-9.x into main Mar 10, 2023

This MR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsonwebtoken	`^8.5.1` -> `^9.0.0`

Release Notes

auth0/node-jsonwebtoken

`v9.0.0`

Breaking changes: See Migration from v8 to v9

Breaking changes

Removed support for Node versions 11 and below.
The verify() function no longer accepts unsigned tokens by default. ([8345030]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
RSA key size must be 2048 bits or greater. ([ecdf6cc]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
Key types must be valid for the signing / verification algorithm

Security fixes

security: fixes Arbitrary File Write via verify function - CVE-2022-23529
security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.