In 1.x branch, could we bump jsonwebtoken to 9.0.2 to close out CVE-2022-25883

[nitrocode]

Thank you for maintaining this package and for the 1.x backport.

I scanned the code recently in github safe-settings and traced back the CVE to this repo. I saw that previously this package was bumped to 9.x in 1.1.1 and thought a patch version update could be done again for a 1.1.2 release without having to bump to 2.x if that's possible.

  No upgrade or patch available
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.3.5
    introduced by probot@12.3.3 > octokit-auth-probot@1.2.6 > @octokit/auth-app@3.6.1 > universal-github-app-jwt@1.1.1 > jsonwebtoken@9.0.0 > semver@7.3.8 and 4 other path(s)
  This issue was fixed in versions: 5.7.2, 6.3.1, 7.5.2

Related

• [MAINT]: Bump package to fix CVE-2022-23541 octokit/auth-app.js#430
• Fix CVE-2022-23541 #66
• https://github.com/gr2m/universal-github-app-jwt/releases/tag/v1.1.1
• https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.2
• https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
• https://www.cve.org/CVERecord?id=CVE-2022-25883

[gr2m]

yes, simply start a pull request against the 1.x branch, use fix: as the prefix in the pull request title. Once merged, a new 1.x release will be created automatically through release automation with semantic-release

[nitrocode]

Thanks @gr2m for the guidance. I submitted a PR. Please check when you have a second.

[github-actions]

🎉 This issue has been resolved in version 1.1.2 🎉

The release is available on:

• GitHub release
• npm package (@release-1.x dist-tag)

Your semantic-release bot 📦🚀