Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency jose to v4 [security] #3581

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency jose to v4 [security] #3581

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jose 2.0.7 -> 4.15.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-28176

A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.

Note that as per RFC 8725 compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of jose removed support for compressed payloads entirely and is therefore NOT affected by this advisory.

Impact

Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.

Affected users

The impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.

You are NOT affected if any of the following applies to you

  • Your code uses jose version v5.x where JWE Compression is not supported anymore
  • Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box
  • Your code does not use the JWE decryption APIs
  • Your code only accepts JWEs produced by trusted sources

Patches

v2.0.7 and v4.15.5 releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the inflateRaw decryption option implementation. In v2.x it is possible to further adjust this limit via the inflateRawSyncLimit decryption option.

Workarounds

If you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header

const { zip } = jose.decodeProtectedHeader(token)
if (zip !== undefined) {
  throw new Error('JWE Compression is not supported')
}

If you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.

For more information

If you have any questions or comments about this advisory please open a discussion in the project's repository

Release Notes

panva/jose (jose)

v4.15.5

Compare Source

Fixes

v4.15.4

Compare Source

Fixes

v4.15.3

Compare Source

v4.15.2

Compare Source

Fixes
  • build: add a node target for jose-browser-runtime releases (abb63d0)

v4.15.1

Compare Source

Fixes
  • resolve missing types for the cryptoRuntime const (1627965)

v4.15.0

Compare Source

Features
  • export the used crypto runtime as a constant (0681dda)

v4.14.6

Compare Source

Fixes
  • build: publish bundle and umd files with jose-browser-runtime module (62fcbcc), closes #​571

v4.14.5

Compare Source

Refactor
  • catch type error when decoding base64url signature (#​569) (935e920)
  • catch type errors when decoding various base64url strings (9024e87)

v4.14.4

Compare Source

Refactor
  • cleanup NODE-ED25519 workerd workarounds (072e83d)

v4.14.3

Compare Source

Reverts
  • Revert "fix(types): headers and payloads may only be JSON values and primitives" (06d8101), closes #​534

v4.14.2

Compare Source

Fixes
  • types: headers and payloads may only be JSON values and primitives (24f306e)

v4.14.1

Compare Source

v4.14.0

Compare Source

Features
  • add requiredClaims JWT validation option (eeea91d)

v4.13.2

Compare Source

Refactor
  • src/util/decode_protected_header.ts (5716725)

v4.13.1

Compare Source

Fixes
  • workerd: avoid "The script will never generate a response" edge cases completely (96a8c99), closes #​355 #​509

v4.13.0

Compare Source

Features
  • types: allow generics to aid in CryptoKey or KeyObject narrowing of KeyLike (6effa4d)
Fixes
  • make jose.EmbeddedJWK arguments optional (20610a9)

v4.12.2

Compare Source

Fixes
  • types: declare explicit return from EmbeddedJWK (46934ac)

v4.12.1

Compare Source

Refactor
  • clarify when alg is used and required on key imports (19e525f)
  • node: have node:crypto deal with x509 parsing (45bb45d)

v4.12.0

Compare Source

Features
  • enable key iteration over JWKSMultipleMatchingKeys (a278acd)

v4.11.4

Compare Source

Fixes
  • build: ignore deno files in npm publishes (b3d6a11)

v4.11.3

Compare Source

Fixes
  • CF Workers: improve miniflare compat with different Node.js versions, get ready for future non-proprietary support (3406b9f), closes #​446 #​495 #​497

v4.11.2

Compare Source

Refactor
  • node: dry node version checks (aff2f7c)

v4.11.1

Compare Source

v4.11.0

Compare Source

Features
  • add bun as a supported runtime (3a63631)
Fixes
  • respect JWK ext for symmetric keys (20557fc)

v4.10.4

Compare Source

Fixes
  • typo in importPKSC8 error message (#​468) (746bc64)
  • workaround for invalid use checks on CF Workers and Deno (e4d04eb)

v4.10.3

Compare Source

v4.10.2

Compare Source

v4.10.1

Compare Source

v4.10.0

Compare Source

Features
  • Curve25519, and Curve448 support for WebCryptoAPI runtimes (fea359a)
Fixes
  • importX509: handle length encodings better (47d0d77), closes #​459

v4.9.3

Compare Source

Refactor
  • update CEK length validation error message (81a92a9)
  • update key input validation error messages (2eac34a)
  • update keylike description for WinterCG (6741679)

v4.9.2

Compare Source

Fixes
  • limit default PBES2 alg's computational expense (03d6d01)

v4.9.1

Compare Source

Fixes
  • deno: add a Deno package entrypoint (9f3c459)

v4.9.0

Compare Source

Features
  • add support for RFC 9278 - JWK Thumbprint URI (d06ce65)
Refactor
  • consume some base64url decode errors (#​436) (caaf2c3)
  • unify JOSENotSupported throw on key export (fe5d093)

v4.8.3

Compare Source

v4.8.1

Compare Source

Fixes
  • typescript: add types export for nodenext module resolution (#​406) (5a6d8f0)

v4.8.0

Compare Source

Features

v4.7.0

Compare Source

Features

v4.6.2

Compare Source

Fixes
  • dont check JWT iat is in the past unless maxTokenAge is used (96d85c7)

v4.6.1

Compare Source

v4.6.0

Compare Source

Features
  • mark APIs and parameters that can lead to footguns as deprecated (0ddbcc6)
  • types: include JSDoc in the types (74187a9)

v4.5.3

Compare Source

Fixes
  • web api runtime: rely on default fetch init values (df6d966)

v4.5.2

Compare Source

Fixes

v4.5.1

Compare Source

Fixes
  • typescript: allow synchronous get key functions (7c99153)

v4.5.0

Compare Source

Features
  • add jose.decodeJwt utility (3d2a2b8)
Fixes

v4.4.0

Compare Source

Features
  • add createLocalJWKSet, resolver to verify using a local JWKSet (bd7bf37)

v4.3.9

Compare Source

Fixes
  • only add y to the epk header parameter when EC keys are used (dd6775e), closes #​348

v4.3.8

Compare Source

v4.3.7

Compare Source

Fixes
  • typescript: b64: true is fine to use in JWT, its useless, but allowed (#​324) (ee401c9)

v4.3.6

Compare Source

Fixes
  • electron: rsa-pss keys are never supported (188c1f7)

v4.3.5

Compare Source

Fixes

v4.3.4

Compare Source

Fixes
  • Compact JWS verification handles a zero-length payload string (7c70e7b)

v4.3.3

Compare Source

Fixes
  • typescript: apply updated compact and jwt headers to compact/jwt verify and decrypt results (0c1946c)

v4.3.2

Compare Source

Fixes
  • createRemoteJWKSet handles all JWS syntaxes (aaba8f3)
  • typescript: Compact JWS Header Parameters has alg and enc as required (0fa87af)
  • typescript: Compact JWS Header Parameters has alg as required (c7fabd0)
  • typescript: Signed JWT Header Parameters has alg as required and b64 as never (79cbd82)

v4.3.0

Compare Source

Features
  • add GeneralSign signature and GeneralEncrypt recipient builder chaining (cfc93f5)

v4.2.1

Compare Source

Fixes
  • node: dont mention CryptoKey in versions without webcrypto (401cabf)

v4.2.0

Compare Source

Features

v4.1.5

Compare Source

Fixes
  • importX509 certificate values that do not include a version number (51a18b6), closes #​308

v4.1.4

Compare Source

Fixes
  • allow shorter HMAC secrets (57126f1)

v4.1.3

Compare Source

Fixes
  • edge-functions: don't use globalThis (3952030)

v4.1.2

Compare Source

Fixes
  • build: ensure cjs/esm specific packages have the right main entry (2f4526a)

v4.1.1

Compare Source

Fixes
  • typescript: work around potentially missing global URL from DOM lib (7ed731c), closes #​295

v4.1.0

Compare Source

Features
  • web: publish umd and bundle files to cdnjs.com (3b3100a)

v4.0.4

Compare Source

Fixes
  • web: check Uint8Array CEK lengths, refactor for better tree-shaking (e8299f2)

v4.0.3

Compare Source

Fixes
  • web: checking cryptokey applicability early (89dc2aa)

v4.0.2

Compare Source

Fixes

v4.0.1

Compare Source

Fixes
  • typescript: re-export all types from index.d.ts (d68f104)

v4.0.0

Compare Source

⚠ BREAKING CHANGES
  • All module named exports have moved from subpaths to
    just "jose". For example, import { jwtVerify } from 'jose/jwt/verify'
    is now just import { jwtVerify } from 'jose'.
  • All submodule default exports and named have been
    removed in favour of just "jose" named exports.
  • typescript: remove repeated type re-exports
  • The undocumented jose/util/random was removed.
  • The jose/jwk/thumbprint named export
    is renamed to calculateJwkThumbprint, now
    import { calculateJwkThumbprint } from 'jose'
  • The deprecated jose/jwk/parse module was
    removed, use import { importJWK } from 'jose' instead.
  • The deprecated jose/jwk/from_key_like module was
    removed, use import { exportJWK } from 'jose' instead.
Refactor
  • redo exports to support broader tooling (dd2cf9e)
  • remove util/random (914e47f)
  • removed the deprecated jwk/from_key_like module (ec1d0e7)
  • removed the deprecated jwk/parse module (8d3cc3b)
  • rename calculateThumprint to calculateJwkThumbprint (5afb713)
  • typescript: remove repeated type re-exports (3e137d2)

v3.20.4

Compare Source

Fixes
  • limit default PBES2 alg's computational expense (d530c30)

v3.20.3

Compare Source

Fixes
  • remove clutter when tree shaking browser dist (73ba370)
  • typescript: JWTExpired error TS2417 (373e0e4)

v3.20.2

Compare Source

Fixes
  • allow tree-shaking of errors (0824301)

v3.20.1

Compare Source

Fixes
  • typescript: PEM import functions always resolve a KeyLike, never a Uint8Array (8ef3a8e)

v3.20.0

Compare Source

Features
Fixes
  • proper createRemoteJWKSet timeoutDuration handling (efa1619), closes #​277

v3.19.0

Compare Source

Features
  • return resolved key when verify and decrypt resolve functions are used (49fb62c)

v3.18.0

Compare Source

Features
  • add X.509/SPKI/PKCS8 key import and SPKI/PKCS8 export functions (a2af0f4)

v3.17.0

Compare Source

Features

v3.16.1

Compare Source

Fixes
  • guard Sign payloads and Encrypt plaintext argument types (10a18f2)

v3.16.0

Compare Source

Features
  • node: support rsa-pss keys in Node.js >= 16.9.0 for sign/verify (0b112cf)

v3.15.5

Compare Source

Fixes
  • omit some fetch options when running in Cloudflare Workers env (ced065a), closes #​255

v3.15.4

Compare Source

Fixes
  • deno: ignore incomplete webcrypto api type errors (c5f2262)
  • typescript: generateKeyPair never returns Uint8Array (73adc01)

v3.15.3

Compare Source

Fixes
  • typescript: GeneralJWSInput and GeneralJWS omit (bc0b42f)

v3.15.2

Compare Source

v3.15.1

Compare Source

Fixes
  • typescript: remove file extensions from types/**/*.d.ts files (0c432e5), closes #​222

v3.15.0

Compare Source

Features
  • experimental Deno build & publish (5c7d265)
Fixes
  • typescript: allow sign results to be passed to verify (59aa96d)

v3.14.4

Compare Source

Fixes
  • throw JWEInvalid when jwe protected header is invalid (991d435)
  • throw JWSInvalid when jws protected header is invalid (#​244) (1fc79aa)

v3.14.3

Compare Source

Fixes
  • docs: update doc links again (26c4361)

v3.14.2

Compare Source

Fixes

v3.14.1

Compare Source

Fixes
  • typescript: export generate key pair result interface (2b5cc28)

v3.14.0

Compare Source

Features
  • add verbose key type error messages (df56b94)
Fixes
  • typescript: remove file extensions from .d.ts files (e091f0f), closes #​222
  • AES Key Wrap input type check (b83821b)
  • guard SignJWT.prototype.sign() from missing protected header (4103719), closes #​221
  • typescript: add "jku" header to JoseHeaderParameters (#​220) (72a72db)

v3.13.0

Compare Source

Features
  • typescript: export consume module interface types (#​213) (13fa3d8)

v3.12.3

Compare Source

Fixes
  • browser: remove the use of a node std-lib in decodeProtectedHeader (d9d4a5f), closes #​206

v3.12.2

Compare Source

Performance
  • node: use util.types.is* helpers when available (d36311d)

v3.12.1

Compare Source

Fixes
  • browser: avoid global-conflicting variable name fetch (#​199) (b2c6273)

v3.12.0

Compare Source

Features
  • webcrypto: allow generate* modules extractable: false override (afae428)

v3.11.6

Compare Source

Fixes
  • swallow promisified crypto.verify errors (d512ede)

v3.11.5

Compare Source

Fixes
  • isObject helper in different vm contexts or jest re-assigned globals (7819df7), closes #​178

v3.11.4

Compare Source

Fixes
  • defer AES CBC w/ HMAC decryption after tag verification passes (579485c)

v3.11.3

Compare Source

Fixes
  • node: check CryptoKey algorithm & usage before exporting KeyObject (dab4b2f)

v3.11.2

Compare Source

Fixes
  • assert KeyLike input types, change "any" types to "unknown" (edb83a8)

v3.11.1

Compare Source

Fixes
  • node: crypto.verify callback invocation with a private keyobject (d3d4acd)

v3.11.0

Compare Source

Features

v3.10.0

Compare Source

Features
  • node: use libuv threadpool to sign in node >= 15.12.0 (cf5074e)
  • node: use libuv threadpool to verify in node >= 15.12.0 (ae9a7f4)
  • node: use native JWK export in node >= 15.9.0 (7f3cc44)
  • node: use native JWK import in node >= 15.12.0 (f0c2a64)

v3.9.0

Compare Source

Features
  • add named exports for all modules (5cba6b0)

v3.8.0

Compare Source

Features
  • publish alternative Node.js and Browser specific distributions (7856dad)

v3.7.1

Compare Source

Fixes
  • swallow invalid signature encoding errors (e0adf49)

v3.7.0

Compare Source

Features
  • electron >=12.0.0 is now supported (and tested on ci) (8fffd3e)
Fixes
  • electron: only call (de)cipher.setAAD() when aad is not empty (a5a6c4d)
  • electron: properly ASN.1 encode [0x00] when converting RSA JWKs (433f020)

v3.6.2

Compare Source

Fixes
  • typescript: update maxTokenAge type and examples (2c358e0)

v3.6.1

Compare Source

Fixes
  • node runtime json fetch handles connection errors properly (fc584b2)

v3.6.0

Compare Source

Features
  • allow CryptoKey instances in a regular non-webcrypto node runtime (e8d41a9)

v3.5.4

Compare Source

Fixes

v3.5.3

Compare Source

Fixes
  • workaround downstream dependency issues messing with http (2e58005), closes #​154

v3.5.2

Compare Source

Performance
  • use 'base64url' encoding when available in Node.js runtime (808f06c)
  • use KeyObject.prototype asymmetricKeyDetails when available (ad88ee2)

v3.5.1

Compare Source

Fixes
  • workaround for RangeError in browser runtime base64url (ed32b0d)

v3.5.0

Compare Source

Features
  • added JWE General JSON Serialization decryption (16dea9e)

v3.4.0

Compare Source

Features
  • added JWS General JSON Serialization signing (6fb862c), closes #​129
  • added JWS General JSON Serialization verification (55b7781), closes #​129
  • added utility function for decoding token's protected header (fa29d68)

v3.3.2

Compare Source

Fixes
  • typescript: ref dom lib via triple-slash to fix some compile issues (175f273), closes #​126

v3.3.1

Compare Source

Fixes

v3.3.0

Compare Source

Features
  • support recognizing proprietary crit header parameters (5163116), closes #​123
Fixes
  • reject JWTs with b64: false (691b44a)

v3.2.0

Compare Source

Features
  • allow specifying modulusLength when generating RSA Key Pairs (5f7a0e9), closes #​121

v3.1.3

Compare Source

Fixes
  • typescript: refactored how types are published (2937363), closes #​119

v3.1.2

Compare Source

Fixes
  • handle globalThis undefined in legacy browsers (b83c59b)

v3.1.1

Compare Source

Fixes
  • global detection in a browser worker runtime (56ff8fa)

v3.1.0

Compare Source

Features
  • added "KeyLike to JWK" module (7a8418e), closes #​109
  • allow compact verify/decrypt tokens to be uint8array encoded (e39c3db)
  • allow http.Agent and https.Agent passed in remote JWK Set (38494a8)

v3.0.2

Compare Source

Fixes

v3.0.1

Compare Source

Fixes
  • typescript: fix compiling by adding .d.ts files for runtime modules (d9cb573)

v3.0.0

Compare Source

⚠ BREAKING CHANGES
  • Revised, Promise-based API
  • No dependencies
  • Browser support (using Web Cryptography API)
  • Support for verification using a remote JWKS endpoint
Features
  • Revised API, No dependencies, Browser Support, Promises (357fe0b)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 6, 2024 07:00
@renovate renovate bot added the 🤖 Type: Dependencies Dependency updates or something similar label Aug 6, 2024
@vercel Vercel
Copy link

vercel bot commented Aug 6, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
mc-app-kit-playground ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 6, 2024 7:02am
merchant-center-application-kit-components-playground ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 6, 2024 7:02am

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 6, 2024

⚠️ No Changeset found

Latest commit: b6db340

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🤖 Type: Dependencies Dependency updates or something similar
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants