Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2022-23541 #66

Merged
merged 1 commit into from
Dec 22, 2022
Merged

Fix CVE-2022-23541 #66

merged 1 commit into from
Dec 22, 2022

Conversation

ajschmidt8
Copy link
Contributor

This PR updates the version of jsonwebtoken used in order to resolve CVE-2022-23541.

See the link below for more details.

GHSA-hjrf-2m68-5959

@ajschmidt8
Fix CVE-2022-23541
de9caaa 
This PR updates the version of `jsonwebtoken` used in order to resolve `CVE-2022-23541`.

See the link below for more details.

GHSA-hjrf-2m68-5959
gr2m
gr2m approved these changes Dec 22, 2022
View reviewed changes
Copy link
Owner

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@gr2m gr2m merged commit 259e45a into gr2m:master Dec 22, 2022
@github-actions
Copy link

🎉 This PR is included in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@vavsab vavsab mentioned this pull request Dec 28, 2022
Closed
1 task
@wolfy1339
Copy link

Hey @gr2m can you backport this to v1?

@kfcampbell
Copy link

@wolfy1339 @gr2m I forked the project, updated the version of jsonewebtoken, and ran npm install. You can view the diff here.

However, since there isn't a branch for v1 currently and I don't have permission to create one, I'm not sure what the best strategy is from here. @gr2m maybe would you mind creating a v1-cve-backport branch that I could PR to and we could release as v1.2.0? What do you think would be the best way forward?

@restfulhead
Copy link

Yes, please back-port. Popular libraries depend on 1.x and can't easily upgrade to 2.x because 2.x is ESM.

@kfcampbell
Copy link

@gr2m I think this is still an issue. Would it be okay to backport to v1? If given appropriate permissions I'm happy to do it myself.

@gr2m
Copy link
Owner

gr2m commented Jan 18, 2023

It is backported to v1

@kfcampbell
Copy link

Awesome, thank you!

This was referenced Jan 3, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gr2m gr2m gr2m approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ajschmidt8 @wolfy1339 @kfcampbell @restfulhead @gr2m