Bump jsonwebtoken, auth0 and express-jwt

[dependabot]

Bumps jsonwebtoken to 9.0.2 and updates ancestor dependencies jsonwebtoken, auth0 and express-jwt. These dependencies need to be updated together.

Updates jsonwebtoken from 8.5.1 to 9.0.2

Changelog

Sourced from jsonwebtoken's changelog.

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• bc28861 Release 9.0.2 (#935)
• 96b8906 refactor: use specific lodash packages (#933)
• ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932)
• 84539b2 Updating package version to 9.0.1 (#920)
• a99fd4b fix(stubs): allow decode method to be stubbed (#876)
• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by charlesrea, a new releaser for jsonwebtoken since your current version.

Updates auth0 from 2.44.1 to 4.10.0

Release notes

Sourced from auth0's releases.

v4.10.0

Changes

This release PR contains the following changes:

• Add organization support for client credentials to node-auth0
• Prompt Partials model changes

References

• Docs
• get-clients
• get-clients-by-id
• post-clients
• patch-clients-by-id
• get-resource-servers

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds unit test coverage
• This change adds integration test coverage

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors

v4.9.0

Added

• Feature/SDK-4921 #1028 (tusharpandey13)
• Update Codecov Action with Token #1029 (developerkunal)

Changed

• Update codeowner file with new GitHub team name #1025 (stevenwong-okta)

v4.8.0

Added

• Added support for client, tenant and resource level properties related to HRI #1024 (gyaneshgouraw-okta)
• Added support for users getSessions & getRefreshTokens endpoint in management api client #1021 (gyaneshgouraw-okta)
• Added support for Session & Refresh token in management api client #1019 (gyaneshgouraw-okta)

v4.7.0

Added

... (truncated)

Changelog

Sourced from auth0's changelog.

v4.10.0 (2024-09-10)

Full Changelog

Added

• Prompt Partial model changes #1035 (tusharpandey13)
• Add organization support for client credentials to node-auth0 #1033 (tusharpandey13)

v4.9.0 (2024-08-26)

Full Changelog

Added

• Node SDK support for SS-SSO #1028 (tusharpandey13)
• Update Codecov Action with Token #1029 (developerkunal)

Changed

• Update codeowner file with new GitHub team name #1025 (stevenwong-okta)

v4.8.0 (2024-08-02)

Full Changelog

Added

• Added support for client, tenant and resource level properties related to HRI #1024 (gyaneshgouraw-okta)
• Added support for users getSessions & getRefreshTokens endpoint in management api client #1021 (gyaneshgouraw-okta)
• Added support for Session & Refresh token in management api client #1019 (gyaneshgouraw-okta)

v4.7.0 (2024-07-08)

Full Changelog

Added

• Support SCIM features. #1016 (nandan-bhat)

v4.6.0 (2024-06-20)

Full Changelog

Added

• Added enabled_clients in connection interface #1014 (gyaneshgouraw-okta)

Fixed

... (truncated)

Commits

• 34497ef Release v4.10.0 (#1037)
• de68481 Prompt Partial model changes (#1035)
• b9eb2d0 SDK-4541 Add organization support for client credentials to node-auth0 (#1033)
• 1e0fbf0 Release v4.9.0 (#1031)
• e7495b3 Feature/SDK-4921 (#1028)
• 7c015d1 Update Codecov Action with Token (#1029)
• 8c31d2f Update codeowner file with new GitHub team name (#1025)
• d67301e Merge branch 'master' into sw_update_co_file
• f27f719 Release v4.8.0 (#1026)
• 455da7b Added support for client, tenant and resource level properties related to HRI...
• Additional commits viewable in compare view

Updates express-jwt from 6.1.2 to 8.4.1

Changelog

Sourced from express-jwt's changelog.

Change Log

All notable changes to this project will be documented in this file starting from version v4.0.0. This project adheres to Semantic Versioning.

8.3.0 - 2023-01-04

• requestProperty support for nested properties (bbd3606ce68da2602733d6e4ac32564570753ca1)
• Update Typescript instructions in Readme.MD (3c1d5cf8a08a6afbcfc78640b8cdb26fac8002ca)

8.2.1 - 2022-12-26

• add secret rotation example in readme. close #310 (0000a44ed58aac97798007af19b0324f28acc436), closes #310
• update @​types/jsonwebtoken and fix deps in package-lock (2322a9b67a5b5c716f953a53a0bb4bbc696d0a11)

8.2.0 - 2022-12-22

• add an optional handler for expired tokens. closes #6048 (ca6c90ccbb4b61b91f417a5dfa56f0b931b81528), closes #6048

8.1.0 - 2022-12-22

• update type to match jwks-rsa (bcad8af9cad82b3777cc38d1c05864a35f82bc53)
• feat: export middleware options type. closes #308 (25a30f0d50c02cc75ab17b09f3592e76e09f9666), closes #308

8.0.0 - 2022-12-22

• Upgrade jsonwebtoken to v9. GHSA-27h2-hvpr-p74q .

7.7.3 - 2022-05-30

• Fix tsc build error for express-unless (e1fe1d264bc5363e008d23fea9d8c5d2ac0d8198)
• Remove esModuleInterop and fix assert import in tests (9ccf0cfd6aaa4cc61fce2f8ccdb961c4b0358201)

7.7.2 - 2022-05-19

• fix instaceof comparison for UnauthorizedError. closes #292 (6c87fe401ecba868feda1ffa530082c7c539321a), closes #292
• update changelog (b1344fa7f6f9dd3d27115a9107b3ef4323733895)

7.7.1 - 2022-05-13

• fix readme and package-lock (7a02ca76c5d7842cfa8b256dcc89dcef1ffbcdc1)
• build(deps): required runtime types (f3f5af5c214241b4f92b91c49db8586ec20e4526)
• docs: fix tiny typo (07e771857489b6344a8dc457069d040a76e84230)

7.7.0 - 2022-05-06

• deprecate ExpressJwtRequest in favor of Request with optional auth, closes #284 (de169def56f98f4237741aa6755d0c5e248bd561), closes #284

7.6.2 - 2022-05-02

... (truncated)

Commits

• d15b92c 8.4.1
• d1e88c7 Merge branch 'glensc-patch-1'
• fdf2d5c Await async jwt.verify function
• 92b7a26 8.4.0
• bb0495d remove lodash and revert esModuleInterop. Closes #317
• 76ceb17 update changelog
• 38dbf45 8.3.0
• bbd3606 requestProperty support for nested properties
• 3c1d5cf Update Typescript instructions in Readme.MD
• 7e19e53 update changelog
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
voting-backend	✅ Ready (Inspect)	Visit Preview	Oct 12, 2024 7:11am