Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jsonwebtoken <=8.5.1 vulnerabilities #8764

Closed
fancywriter opened this issue Dec 22, 2022 · 1 comment
Closed

jsonwebtoken <=8.5.1 vulnerabilities #8764

fancywriter opened this issue Dec 22, 2022 · 1 comment
Labels
stage/6-released The issue has been solved on a released version of the library

Comments

@fancywriter
Copy link

Which packages are impacted by your issue?

@graphql-codegen/cli

Describe the bug

Hello!

I am using @graphql-codegen/cli and recently npm audit started to show the following:

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix --force`
Will install @graphql-codegen/[email protected], which is a breaking change
node_modules/jsonwebtoken
  @graphql-tools/prisma-loader  6.0.16-alpha-08d81492.0 - 7.2.48
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@graphql-tools/prisma-loader
    @graphql-codegen/cli  1.17.8-alpha-091dfeae.0 - 1.17.8 || >=1.21.5-alpha-0a04346b.0
    Depends on vulnerable versions of @graphql-tools/prisma-loader
    node_modules/@graphql-codegen/cli

3 vulnerabilities (2 moderate, 1 high)

It advises to downgrade to older version.

I see it uses prisma-loader which was recently upgraded ardatan/graphql-tools#4923

Your Example Website or App

.

Steps to Reproduce the Bug or Issue

npm i --save-dev @graphql-codegen/cli@latest
npm audit

Expected behavior

npm audit to no complain or to propose non-breaking fix

Screenshots or Videos

No response

Platform

  • OS: Linux
  • NodeJS: 18.12.1
  • graphql version: latest
  • @graphql-codegen/cli version(s): 2.16.1

Codegen Config File

No response

Additional context

No response
@aniketdd aniketdd mentioned this issue Dec 23, 2022
Merged
10 tasks
@saihaj saihaj added the stage/4-pull-request A pull request has been opened that aims to solve the issue label Dec 27, 2022
@saihaj
Copy link
Collaborator

saihaj commented Dec 27, 2022

https://github.com/dotansimha/graphql-code-generator/releases/tag/release-1672172825816

@saihaj saihaj closed this as completed Dec 27, 2022
@saihaj saihaj added stage/6-released The issue has been solved on a released version of the library and removed stage/4-pull-request A pull request has been opened that aims to solve the issue labels Dec 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stage/6-released The issue has been solved on a released version of the library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fancywriter @saihaj