npm audit - "vulnerable versions of elliptic"

[endel]

Hi there 👋

The npm audit is saying grant is vulnerable because of Brightspace/node-jwk-to-pem#187

Comments on the jwk-to-pem thread are saying Node.js now supports that same functionality natively now, so maybe jwk-to-pem dependency could be entirely removed now?

Cheers!

---

# npm audit report

elliptic  >=2.0.0
Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m
Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p
fix available via `npm audit fix --force`
Will install colyseus@0.15.13, which is a breaking change
node_modules/elliptic
  jwk-to-pem  >=1.2.1
  Depends on vulnerable versions of elliptic
  node_modules/jwk-to-pem
    grant  >=5.1.0
    Depends on vulnerable versions of jwk-to-pem

[simov]

Thanks for reporting this, I will have a look.

Note that this dependency is only being used when you have configured your client (provider) in Grant to authenticate with token_endpoint_auth_method=private_key_jwt, if your provider supports that in the first place.

[simov]

I was planning to release a patch, but it just got fixed here indutny/elliptic#317