英文:
NPM Audit Fix wants to downgrade a package
问题
We received an NPM Audit warning about jsonwebtoken <= 8.5.1. The suggested fix was to upgrade mssql to 7.2.0. Instead, we removed mssql with npm remove mssql and re-installed it to get the latest version npm i -D mssql => 9.0.1.
However, NPM Audit still complains and wants to install mssql@7.2.0.
Why is NPM Audit requiring a downgrade?
英文:
We received an NPM Audit warning about jsonwebtoken <= 8.5.1. The suggested fix was to upgrade mssql to 7.2.0. Instead, we removed mssql with npm remove mssql and re-installed it to get the latest version npm i -D mssql => 9.0.1.
However, NPM Audit still complains and wants to install mssql@7.2.0.
Why is NPM Audit requiring a downgrade?
$ npm audit --registry=https://registry.npmjs.org/
# npm audit report
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install mssql@7.2.0, which is a breaking change
node_modules/jsonwebtoken
@azure/msal-node *
Depends on vulnerable versions of jsonwebtoken
node_modules/@azure/msal-node
@azure/identity >=1.2.0-alpha.20200903.1
Depends on vulnerable versions of @azure/msal-node
node_modules/@azure/identity
tedious >=11.0.9
Depends on vulnerable versions of @azure/identity
node_modules/tedious
mssql >=7.2.1
Depends on vulnerable versions of tedious
node_modules/mssql
5 vulnerabilities (4 moderate, 1 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Here is the dependency graph:
- "mssql": "9.0.1"
- "tedious": "^15.0.1" (15.1.2)
- "@azure/identity": "^2.0.4"
- "@azure/msal-node": "^1.10.0"
- "jsonwebtoken": "^8.5.1"
- "@azure/msal-node": "^1.10.0"
- "@azure/identity": "^2.0.4"
- "tedious": "^15.0.1" (15.1.2)
We have no other libraries which depend on jsonwebtoken.
package.json
{
"dependencies": {
"express": "^4.18.1",
"flatted": "^3.1.1",
"http-proxy-middleware": "^2.0.6",
"log-timestamp": "^0.3.0",
"node-fetch": "^2.6.1",
"nodemon": "^2.0.20",
"sha1-hex": "^1.0.0"
},
"devDependencies": {
"@types/jest": "^26.0.3",
"eslint": "^7.7.0",
"eslint-config-strongloop": "^2.1.0",
"jest": "^28.1.3",
"jest-junit": "^8.0.0",
"mssql": "^9.0.1"
}
}
答案1
得分: 2
问题是@azure/msal-node的所有版本都依赖于jsonwebtoken@8.5.1。然而,这个依赖似乎是在mssql >7.2.0中添加的。因此,降级到mssql@7.2.0会移除对@azure/msal-node的依赖,从而移除对jsonwebtoken的受影响版本的依赖。
英文:
The issue is that all versions of @azure/msal-node depends on jsonwebtoken@8.5.1. However this dependency seems to have been added in mssql >7.2.0. So downgrading to mssql@7.2.0 removes the dependence on @azure/msal-node and subsequently the vulnerable version of jsonwebtoken.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论