chore(deps): update dependency jsonwebtoken to v8 #485

mend-for-github-com · 2024-09-08T18:04:13Z

This PR contains the following updates:

Package	Type	Update	Change
jsonwebtoken	dependencies	major	`^7.0.0` -> `^8.0.0`

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	CVE	GitHub Issue
High	8.8	CVE-2018-3728	#468

auth0/node-jsonwebtoken (jsonwebtoken)

Breaking changes: See Migration notes from v7

docs: readme, migration notes (12cd8f7f47224f904f6b8f39d1dee73775de4f6f)
verify: remove process.nextTick (#302) (3305cf04e3f674b9fb7e27c9b14ddd159650ff82)
Reduce size of NPM package (#347) (0be5409ac6592eeaae373dce91ec992fa101bd8a)
Remove joi to shrink module size (#348) (2e7e68dbd59e845cdd940afae0a296f48438445f)
maxAge: Add validation to timespan result (66a4f8b996c8357727ce62a84605a005b2f5eb18)

Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style) (PR 386)

bugfix: sign: add check to be sure secret has a value (c584d1cbc34b788977b36f17cd57ab2212f1230e)
docs: about refreshing tokens (016fc10b847bfbb76b82171cb530f32d7da2001b)
docs: verifying with base64 encoded secrets (c25e9906801f89605080cc71b3ee23a5e45a5811)
tests: Add tests for ES256 (89900ea00735f76b04f437c9f542285b420fa9cb)
docs: document keyid as option (#361) (00086c2c006d7fc1a47bae02fa87d194d79aa558)
docs: readme: Using private key with passpharase (#353) (27a7f1d4f35b662426ff0270526d48658da4c8b7)

bump ms to v2 due a ReDoS vulnerability (#352) (adcfd6ae4088c838769d169f8cd9154265aa13e0)

Add docs about numeric date fields (659f73119900a4d837650d9b3f5af4e64a2f843b)
Make Options object optional for callback-ish sign (e202c4fd00c35a24e9ab606eab89186ade13d0cc)

Add more information to maxAge option in README (1b0592e99cc8def293eed177e2575fa7f1cf7aa5)
Add clockTimestamp option to verify() you can set the current time in seconds with it (#274) (8fdc1504f4325e7003894ffea078da9cba5208d9)
Fix handling non string tokens on verify() input (#305) (1b6ec8d466504f58c5a6e2dae3360c828bad92fb), closes #305
Fixed a simple typo in docs (#287) (a54240384e24e18c00e75884295306db311d0cb7), closes #287
Raise jws.decode error to avoid confusion with "invalid token" error (#294) (7f68fe06c88d5c5653785bd66bc68c5b20e1bd8e)
rauchg/ms.js changed to zeit/ms (#303) (35d84152a6b716d757cb5b1dd3c79fe3a1bc0628)

add nsp check to find vulnerabilities on npm test (4219c34b5346811c07f520f10516cc495bcc70dd)
revert to joi@^6 to keep ES5 compatibility (51d4796c07344bf817687f7ccfeef78f00bf5b4f)

Revert "Merge branch 'venatir-master'" (d06359ef3b4e619680e043ee7c16adda16598f52)

Fixed tests, however typ: 'JWT' should not be in the options at all, so please review other tests (01903bcdc61b4ed429acbbd1fe0ffe0db364473b)
Removing unnecessary extra decoding. jwtString is already verified as valid and signature checked (55d5834f7b637011e1d8b927ff78a92a5fd521cf)
update changelog (5117aacd0118a10331889a64e61d8186112d8a23)