From ed35062239c0195d4341025d4699cc39608b435e Mon Sep 17 00:00:00 2001 From: Jake Lacey Date: Wed, 30 Aug 2023 13:02:58 +0100 Subject: [PATCH 1/3] security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932) --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2c90cc2..79aefdc 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,7 @@ "jws": "^3.2.2", "lodash": "^4.17.21", "ms": "^2.1.1", - "semver": "^7.3.8" + "semver": "^7.5.4" }, "devDependencies": { "atob": "^2.1.2", From 96b89060cfc19272a7d853f53cb28c42580a6a67 Mon Sep 17 00:00:00 2001 From: Jake Lacey Date: Wed, 30 Aug 2023 13:06:25 +0100 Subject: [PATCH 2/3] refactor: use specific lodash packages (#933) This is to reduce the size of the bundle users have to install. --- package.json | 8 +++++++- sign.js | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 79aefdc..f7885f0 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,13 @@ }, "dependencies": { "jws": "^3.2.2", - "lodash": "^4.17.21", + "lodash.includes": "^4.3.0", + "lodash.isboolean": "^3.0.3", + "lodash.isinteger": "^4.0.4", + "lodash.isnumber": "^3.0.3", + "lodash.isplainobject": "^4.0.6", + "lodash.isstring": "^4.0.1", + "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" }, diff --git a/sign.js b/sign.js index 1aeeabc..82bf526 100644 --- a/sign.js +++ b/sign.js @@ -2,7 +2,13 @@ const timespan = require('./lib/timespan'); const PS_SUPPORTED = require('./lib/psSupported'); const validateAsymmetricKey = require('./lib/validateAsymmetricKey'); const jws = require('jws'); -const {includes, isBoolean, isInteger, isNumber, isPlainObject, isString, once} = require('lodash') +const includes = require('lodash.includes'); +const isBoolean = require('lodash.isboolean'); +const isInteger = require('lodash.isinteger'); +const isNumber = require('lodash.isnumber'); +const isPlainObject = require('lodash.isplainobject'); +const isString = require('lodash.isstring'); +const once = require('lodash.once'); const { KeyObject, createSecretKey, createPrivateKey } = require('crypto') const SUPPORTED_ALGS = ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']; From bc28861f1fa981ed9c009e29c044a19760a0b128 Mon Sep 17 00:00:00 2001 From: Jake Lacey Date: Wed, 30 Aug 2023 13:25:33 +0100 Subject: [PATCH 3/3] Release 9.0.2 (#935) --- CHANGELOG.md | 5 +++++ package.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e107c94..e41fdfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file starting from version **v4.0.0**. This project adheres to [Semantic Versioning](http://semver.org/). +## 9.0.2 - 2023-08-30 + +- security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes [#921](https://github.com/auth0/node-jsonwebtoken/issues/921). +- refactor: reduce library size by using lodash specific dependencies, closes [#878](https://github.com/auth0/node-jsonwebtoken/issues/878). + ## 9.0.1 - 2023-07-05 - fix(stubs): allow decode method to be stubbed diff --git a/package.json b/package.json index f7885f0..81f78da 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "jsonwebtoken", - "version": "9.0.1", + "version": "9.0.2", "description": "JSON Web Token implementation (symmetric and asymmetric)", "main": "index.js", "nyc": {