Gitiles
Code Review Sign In
review.blissroms.org / platform_development / 67dda587bbf01c26c8c4040083ddeced64f8db3b
commit67dda587bbf01c26c8c4040083ddeced64f8db3b[log] [tgz]
authorNataniel Borges <natanieljr@google.com>Fri Dec 23 15:55:25 2022 +0000
committerNataniel Borges <natanieljr@google.com>Fri Dec 23 15:55:25 2022 +0000
tree50e0fdd82290607079c5435b70389d725f5ee63a
parent70945707bd1a74f67e15909e65c401ae245ae0fb [diff]
Update dependencies to fix security vulnerability

npm audit report:

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
fix available via `npm audit fix --force`
Will install auth0@3.0.1, which is a breaking change
node_modules/jsonwebtoken
  auth0  2.13.0 - 3.0.0
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of jwks-rsa
  node_modules/auth0
  jwks-rsa  1.5.1 - 1.12.3
  Depends on vulnerable versions of jsonwebtoken
  node_modules/jwks-rs

Test: npm install && npm run build:all && npm run test:unit
Change-Id: I47dfb353718cd3c40dd7060d2c31cb5e1ebaec43
2 files changed
tree: 50e0fdd82290607079c5435b70389d725f5ee63a
  1. apps/
  2. build/
  3. cmds/
  4. docs/
  5. gki/
  6. gsi/
  7. host/
  8. ide/
  9. multitree/
  10. python-packages/
  11. samples/
  12. scripts/
  13. sdk/
  14. sdk_overlay/
  15. sys-img/
  16. testrunner/
  17. tools/
  18. vendor_snapshot/
  19. vndk/
  20. .gitignore
  21. Android.bp
  22. CleanSpec.mk
  23. METADATA