High vulnerability due to package [email protected]

[Niestsabes]

Running npm audit reveals worrying high vulnerabilities.

Expected Behavior

No vulnerability should be returned by npm audit

Current Behavior

Below, a part of the logs I get when running npm audit :

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959

This outcome is quite excepted as the version declared in the package.json file is 8.5.1, while this version is known for containing major vulnerabilities fixed on versions >=9.0.0 :

Possible Solution

Upgrade jsonwebtoken package to v9.0.0 or above.

Steps to Reproduce

1. Run npm audit

Context (Environment)

For the context,

• I'm using Kuzzle as a framework for my backend, which depends on kuzzle-plugin-auth-passport-local@latest.
• I've detected the issue when verifing my deployment pipelines (they were failing because of the audit stage)

[rolljee]

Hello 👋🏼 and thank you for reporting this issue.

This project has not been updated a long time, but it is used by our core component. We will soon update all of it in order to get rid of the issue.