high severity in jsonwebtoken <=8.5.1

[davehorton]

The dependency on an older version of ibm-cloud-sdk-core is leading to a security issue. Per this related issue this was fixed recently in that repo. Are there any plans to issue a new release that incorporates this security fix?

[davehorton]

any plans to address this?

[apaparazzi0329]

This fix has been addressed and simply reinstalling the node-sdk will bring in the updated version of ibm-cloud-sdk-core with the fix

[davehorton]

what am I missing? npm audit still shows this vulnerability in my project:

$ npm audit
# npm audit report

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken
  ibm-cloud-sdk-core  0.3.0 - 3.2.2-beta-5 || 4.0.0
  Depends on vulnerable versions of jsonwebtoken
  node_modules/ibm-cloud-sdk-core

2 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

MacBook-Pro-3:realtimedb-helpers dhorton$ npm ls jsonwebtoken
@jambonz/[email protected] /Users/dhorton/beachdog-enterprises/beachdog-networks/git/jambones.org/git/utils/realtimedb-helpers
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

[dpopp07]

[email protected] includes the fix. It looks like 3.2.1 is still installed in your package.