Skip to content

Upgrade: jwa dependency from 1.1.5 -> 1.1.6#80

Closed
andygout wants to merge 1 commit intoauth0:masterfrom
Financial-Times:upgrade-jwa-dependency
Closed

Upgrade: jwa dependency from 1.1.5 -> 1.1.6#80
andygout wants to merge 1 commit intoauth0:masterfrom
Financial-Times:upgrade-jwa-dependency

Conversation

@andygout
Copy link
Contributor

@andygout andygout commented Jun 15, 2018

Upgrades the jwa dependency from ^1.1.5 to ^1.1.6 so that projects not downloading packages on a semver basis (i.e. using a package-lock.json) are able to benefit from the changes introduced in v1.1.6 of that package, namely:

  • Dispensing with its dependency of base64url.
  • Upgrading ecdsa-sig-formatter from v1.0.9 to v1.0.10, the latter of which dispenses with its dependency of base64url.

Vulnerabilities have been reported (by Whitesource and Synk) in base64url < v3.0.0 and so we would like those versions to be excluded from our dependency tree.

@lgodmer
Copy link

lgodmer commented Jun 28, 2018
edited
Loading

Thanks @andygout!
@omsmith can we get a released version with this change? We are also hitting issues in snyk due to the jwa dependency.

@charlenetshos
Copy link

charlenetshos commented Jul 9, 2018
edited
Loading

@omsmith @brianloveswords we are failing nsp check in one of our projects because of https://nodesecurity.io/advisories/658.
When will this change be released?

@iamariffikri
Copy link

iamariffikri commented Oct 4, 2018

Can we have this merged? Node security is bugging us for Out-of-bounds Read in base64url.

tperamaki
tperamaki approved these changes Jan 2, 2019
View reviewed changes
Copy link

@tperamaki tperamaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brianloveswords I approved this PR, now you can merge it 😃

omsmith pushed a commit that referenced this pull request Jan 25, 2019
@andygout @omsmith
Upgrade: jwa dependency from 1.1.5 -> 1.1.6
0428c42 
PR-URL: #80
omsmith pushed a commit that referenced this pull request Jan 25, 2019
@andygout @omsmith
Upgrade: jwa dependency from 1.1.5 -> 1.1.6
bb8e016 
PR-URL: #80
@omsmith omsmith closed this Jan 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tperamaki tperamaki tperamaki approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@andygout @lgodmer @charlenetshos @iamariffikri @tperamaki @omsmith