From 552ec87ae54355118b1b7d05715ff9443d435545 Mon Sep 17 00:00:00 2001 From: Luc Street Date: Wed, 27 Jan 2021 16:02:26 +0000 Subject: [PATCH] Update jwks-rsa to address security issue OKTA-365079 <<>> Artifact: okta-oidc-js --- packages/jwt-verifier/CHANGELOG.md | 1 + packages/jwt-verifier/package.json | 2 +- packages/jwt-verifier/yarn.lock | 37 +++++++++++------------------- 3 files changed, 16 insertions(+), 24 deletions(-) diff --git a/packages/jwt-verifier/CHANGELOG.md b/packages/jwt-verifier/CHANGELOG.md index 9441180b0..e6ce9eede 100644 --- a/packages/jwt-verifier/CHANGELOG.md +++ b/packages/jwt-verifier/CHANGELOG.md @@ -3,6 +3,7 @@ ### Other - [#952](https://github.com/okta/okta-oidc-js/pull/952) - Updates configuration-validation dependency to 1.0.0 +- [#953](https://github.com/okta/okta-oidc-js/pull/963) - Fixes security vulnerability in jwks-rsa dependency # 2.0.0 diff --git a/packages/jwt-verifier/package.json b/packages/jwt-verifier/package.json index 22234884d..457a2bd3b 100644 --- a/packages/jwt-verifier/package.json +++ b/packages/jwt-verifier/package.json @@ -35,7 +35,7 @@ "license": "Apache-2.0", "dependencies": { "@okta/configuration-validation": "^1.0.0", - "jwks-rsa": "1.11.0", + "jwks-rsa": "1.12.1", "njwt": "^1.0.0" }, "devDependencies": { diff --git a/packages/jwt-verifier/yarn.lock b/packages/jwt-verifier/yarn.lock index c5eb6ef49..bbf9df21b 100644 --- a/packages/jwt-verifier/yarn.lock +++ b/packages/jwt-verifier/yarn.lock @@ -594,12 +594,12 @@ aws4@^1.8.0: resolved "https://registry.yarnpkg.com/aws4/-/aws4-1.10.1.tgz#e1e82e4f3e999e2cfd61b161280d16a111f86428" integrity sha512-zg7Hz2k5lI8kb7U32998pRRFin7zJlkfezGJjUc2heaD4Pw2wObakCDVzkKztTm/Ln7eiVvYsjqak0Ed4LkMDA== -axios@^0.19.2: - version "0.19.2" - resolved "https://registry.yarnpkg.com/axios/-/axios-0.19.2.tgz#3ea36c5d8818d0d5f8a8a97a6d36b86cdc00cb27" - integrity sha512-fjgm5MvRHLhx+osE2xoekY70AhARk3a6hkN+3Io1jc00jtquGvxYlKlsFUhmUET0V5te6CcZI7lcv2Ym61mjHA== +axios@^0.21.1: + version "0.21.1" + resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.1.tgz#22563481962f4d6bde9a76d516ef0e5d3c09b2b8" + integrity sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA== dependencies: - follow-redirects "1.5.10" + follow-redirects "^1.10.0" babel-jest@^24.9.0: version "24.9.0" @@ -963,13 +963,6 @@ debug@4: dependencies: ms "2.1.2" -debug@=3.1.0: - version "3.1.0" - resolved "https://registry.yarnpkg.com/debug/-/debug-3.1.0.tgz#5bb5a0672628b64149566ba16819e61518c67261" - integrity sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g== - dependencies: - ms "2.0.0" - debug@^3.1.0, debug@^3.2.6: version "3.2.6" resolved "https://registry.yarnpkg.com/debug/-/debug-3.2.6.tgz#e83d17de16d8a7efb7717edbe5fb10135eee629b" @@ -1338,12 +1331,10 @@ find-up@^3.0.0: dependencies: locate-path "^3.0.0" -follow-redirects@1.5.10: - version "1.5.10" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.5.10.tgz#7b7a9f9aea2fdff36786a94ff643ed07f4ff5e2a" - integrity sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ== - dependencies: - debug "=3.1.0" +follow-redirects@^1.10.0: + version "1.13.1" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.13.1.tgz#5f69b813376cee4fd0474a3aba835df04ab763b7" + integrity sha512-SSG5xmZh1mkPGyKzjZP8zLjltIfpW32Y5QpdNJyjcfGxK3qo3NDDkZOZSFiGn1A6SclQxY9GzEwAHQ3dmYRWpg== for-in@^1.0.2: version "1.0.2" @@ -2273,13 +2264,13 @@ jwa@^1.4.1: ecdsa-sig-formatter "1.0.11" safe-buffer "^5.0.1" -jwks-rsa@1.11.0: - version "1.11.0" - resolved "https://registry.yarnpkg.com/jwks-rsa/-/jwks-rsa-1.11.0.tgz#c7160a1457d7aab2da0148253854948c51baf87a" - integrity sha512-G7ZgXZ3dlGbOUBQwgF+U/SVzOlI9KxJ9Uzp61bue2S5TV0h7c+kJRCl3bEPkC5PVmeu7/h82B3uQALVJMjzt/Q== +jwks-rsa@1.12.1: + version "1.12.1" + resolved "https://registry.yarnpkg.com/jwks-rsa/-/jwks-rsa-1.12.1.tgz#fd16ef190a6d00c09c9789e55d726c6f9afa5a3b" + integrity sha512-N7RsfrzK3+S+SqKEEhWF7Ak87Gzg0KcZq/f8h0VqL2ur3nTB6pi5J12uelGAzB3VfhWQI+zfolHE2XDu/EI7Hg== dependencies: "@types/express-jwt" "0.0.42" - axios "^0.19.2" + axios "^0.21.1" debug "^4.1.0" http-proxy-agent "^4.0.1" https-proxy-agent "^5.0.0"