This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
Vulnerabilities that will be fixed
With an upgrade:
Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity
:-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------
| 671/1000
Why? Recently disclosed, Has a fix available, CVSS 7.7 | Improper Input Validation
SNYK-JS-JSONWEBTOKEN-3180020 | Yes | No Known Exploit
| 611/1000
Why? Recently disclosed, Has a fix available, CVSS 6.5 | Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022 | Yes | No Known Exploit
| 611/1000
Why? Recently disclosed, Has a fix available, CVSS 6.5 | Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024 | Yes | No Known Exploit
| 526/1000
Why? Recently disclosed, Has a fix available, CVSS 4.8 | Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026 | Yes | No Known Exploit
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: jsonwebtoken
The new version differs by 17 commits.
- e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
- 5eaedbf chore(ci): remove github test actions job (#861)
- cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
- ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
- 8345030 fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
- 7e6a86b Upload OpsLevel YAML (#849)
- 74d5719 docs: update references vercel/ms references (#770)
- d71e383 docs: document "invalid token" error
- 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
- a46097e docs: make decode impossible to discover before verify
- 15a1bc4 refactor: make decode non-enumerable
- 5f10bf9 docs: add jwtid to options of jwt.verify (#704)
- 88cb9df Replace tilde-indexOf with includes (#647)
- a6235fa Adds not to README on decoded payload validation (#646)
- 5ed1f06 docs: fix tiny style change in readme (#622)
- 9fb90ca style: add missing semicolon (#641)
- a9e38b8 ci: use circleci (#589)
See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Use of a Broken or Risky Cryptographic Algorithm