Skip to content

[Identity] upgrade the msal dependencies due to security issue in jsonwebtoken#24458

Merged
KarishmaGhiya merged 5 commits intoAzure:hotfix/identity_3.1.3from
KarishmaGhiya:identity_3.1.3_security_fix
Jan 13, 2023
Merged

[Identity] upgrade the msal dependencies due to security issue in jsonwebtoken#24458
KarishmaGhiya merged 5 commits intoAzure:hotfix/identity_3.1.3from
KarishmaGhiya:identity_3.1.3_security_fix

Conversation

@KarishmaGhiya
Copy link
Copy Markdown
Member

@KarishmaGhiya KarishmaGhiya commented Jan 12, 2023
edited
Loading

Packages impacted by this PR

@azure/identity

Issues associated with this PR

There's a CVE associated with this for jsonwebtoken vulnerability- https://nvd.nist.gov/vuln/detail/CVE-2022-23529

Describe the problem that is addressed by this PR

Upgrading the msal dependencies due to security issue in Auth0's jsonwebtoken library, which is a dependency of msal-node. The latest versions of msal libraries depend on the fix released by jsonwebtoken library version 9.0.0

Checklists

  • Added impacted package name to the issue description
  • Added a changelog (if necessary)

@KarishmaGhiya
upgrade the msal dependencies due to security issue in Auth0 jsonwebt…
f99abf4 
…oken library, which is a dependency of msal-node
@ghost ghost added the Azure.Identity label Jan 12, 2023
@KarishmaGhiya KarishmaGhiya requested a review from xirzec January 12, 2023 22:28
@deyaaeldeen
Copy link
Copy Markdown
Member

deyaaeldeen commented Jan 12, 2023

Could you please merge latest main here? I don't expect changes in our lockfile.

@deyaaeldeen
Copy link
Copy Markdown
Member

deyaaeldeen commented Jan 12, 2023

Also, could you update the changelog?

@azure-sdk
Copy link
Copy Markdown
Collaborator

azure-sdk commented Jan 12, 2023

API change check

APIView has identified API level changes in this PR and created following API reviews.

azure-identity

@KarishmaGhiya
Copy link
Copy Markdown
Member Author

KarishmaGhiya commented Jan 12, 2023

/azp run js - identity - ci

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Jan 12, 2023

Azure Pipelines successfully started running 1 pipeline(s).

xirzec
xirzec approved these changes Jan 12, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@xirzec xirzec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

KarishmaGhiya
KarishmaGhiya commented Jan 12, 2023
View reviewed changes
deyaaeldeen
deyaaeldeen reviewed Jan 12, 2023
View reviewed changes
deyaaeldeen
deyaaeldeen reviewed Jan 12, 2023
View reviewed changes
KarishmaGhiya and others added 2 commits January 12, 2023 16:22
@KarishmaGhiya @deyaaeldeen
Update sdk/identity/identity/CHANGELOG.md
baf0ac1 
Co-authored-by: Deyaaeldeen Almahallawi <dealmaha@microsoft.com>
@KarishmaGhiya @deyaaeldeen
Update sdk/identity/identity/CHANGELOG.md
1bd1d2b 
Co-authored-by: Deyaaeldeen Almahallawi <dealmaha@microsoft.com>
@KarishmaGhiya KarishmaGhiya merged commit 22591b6 into Azure:hotfix/identity_3.1.3 Jan 13, 2023
KarishmaGhiya added a commit that referenced this pull request Feb 10, 2023
@KarishmaGhiya
[Identity] upgrade the msal dependencies due to security issue in jso…
c738b3b 
…nwebtoken (#24458)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deyaaeldeen deyaaeldeen deyaaeldeen left review comments

@xirzec xirzec xirzec approved these changes

@praveenkuttappan praveenkuttappan Awaiting requested review from praveenkuttappan

@witemple-msft witemple-msft Awaiting requested review from witemple-msft

@jeremymeng jeremymeng Awaiting requested review from jeremymeng

@schaabs schaabs Awaiting requested review from schaabs

Assignees

No one assigned

Labels

Azure.Identity

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KarishmaGhiya @deyaaeldeen @azure-sdk @xirzec