[Snyk] Security upgrade koa-jwt from 4.0.0 to 4.0.4 #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

snyk-bot wants to merge 1 commit into master from snyk-fix-5f5a68aca158e47f2af3a08ba118c596

snyk-bot commented Jan 9, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	671/1000 Why? Recently disclosed, Has a fix available, CVSS 7.7	Improper Input Validation SNYK-JS-JSONWEBTOKEN-3180020	No	No Known Exploit
	776/1000 Why? Recently disclosed, Has a fix available, CVSS 9.8	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	No	No Known Exploit
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	No	No Known Exploit
	626/1000 Why? Recently disclosed, Has a fix available, CVSS 6.8	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: koa-jwt

The new version differs by 20 commits.

ac272c0 4.0.4
0599444 Bump jsonwebtoken from 8.5.1 to 9.0.0
634c5c0 Bump qs from 6.9.3 to 6.11.0 (#192)
aabdf9d Bump ansi-regex from 3.0.0 to 3.0.1 (#190)
54abffc Bump minimist from 1.2.5 to 1.2.6 (#189)
8ae721d Bump pathval from 1.1.0 to 1.1.1 (#187)
81e326b chore: bump to 4.0.3
3e83be9 4.0.2
c667787 Export more interfaces
45bdca6 Bump path-parse from 1.0.6 to 1.0.7 (#184)
e944009 Bump glob-parent from 5.1.1 to 5.1.2
3fb4bb7 Bump lodash from 4.17.19 to 4.17.21
e1d9f1e 4.0.1
aa6e10a Bump y18n from 4.0.0 to 4.0.1
d663492 Bump lodash from 4.17.15 to 4.17.19
8ac436f Fix typing of `getToken`
f694cb6 support leading/trailing whitespace in Authorization header value
c073cf2 4.0.0
735b89d Add missing options:
fa27b12 Detail explicitly middleware's options in README

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Use of a Broken or Risky Cryptographic Algorithm


          fix: package.json & package-lock.json to reduce vulnerabilities

7ace99b

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024
- https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet