Downstream dependency has vulnerability

[jdforsythe]

Issue Summary

A summary of the issue and the environment in which it occurs. If suitable, include the steps required to reproduce the bug. Please feel free to include screenshots, screencasts, or code examples.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ twilio                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ twilio > jsonwebtoken > semver                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092310                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps to Reproduce

1. This is the first step
2. This is the second step
3. Further steps, etc.

Code Snippet

# paste code here

Exception/Log

# paste exception/log here

Technical details:

• twilio-node version:
• node version:

[AsabuHere]

Hi @jdforsythe,
Thank you for the heads up!
Our team has reviewed the twilio-node repository and dont see semVer dependency added here. Can you please share more details on where is it used?

Thanks,
Athira

[jdforsythe]

@AsabuHere You have a dependency on jsonwebtoken which, in turn, has a dependency on semver. The version they depend on is vulnerable.

Issue:
auth0/node-jsonwebtoken#905

PR for jsonwebtoken:
auth0/node-jsonwebtoken#919

Once a new version of jsonwebtoken is released with the dependency updated, you'll just need to update your dependency to a new version of jsonwebtoken.

[tiwarishubham635]

Created a PR for this change. Thanks!