All jws versions

[email protected] rejected Risk: 63 MIT

jws @3.2.2

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
63
Risk Score
MIT
License
No
Install Scripts
2
Dependencies
2
Dev Dependencies
5.7 KB
Package Size
Published

Implementation of JSON Web Signatures

Maintainers

brianloveswordsomsmithstenington

Keywords

jwsjsonwebsignatures

Dependencies (2)

PackageConstraintRegistry Status
jwa ^1.4.1 auto_approved
safe-buffer ^5.0.1 auto_approved

Dev Dependencies (2)

PackageConstraintRegistry Status
tape ~2.14.0 auto_approved
semver ^5.1.0 auto_approved

Transitive Dependency Tree

4 transitive deps max depth 3
  ├─ jwa ^1.4.1 → 1.4.2
├─ safe-buffer ^5.0.1 → 5.2.1
  ├─ buffer-equal-constant-time ^1.0.1 → 1.0.1
  ├─ ecdsa-sig-formatter 1.0.11 → 1.0.11
├─ safe-buffer ^5.0.1 → 5.2.1
  ├─ safe-buffer ^5.0.1 → 5.2.1

Changes from v2.0.0

Dependency Changes

ChangePackageVersion
added safe-buffer ^5.0.1
removed base64url ~1.0.4
changed jwa ~1.0.0 → ^1.4.1

File Changes

1 added 7 removed 7 modified size delta: -7.8 KB

Risk Dispositions (1 applicable to this version, 1 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-869p-cjfg-cm3x osv reject AI AI (osv): Affects all jws versions < 3.2.3; this version (0.0.2) is well within the affected range. Fix available in 3.2.3+.
Show 1 disposition(s) that do not match any finding on this version
Rule Source Disposition Author Reason
osv:GHSA-gjcw-v447-2w7q osv reject AI AI (osv): Affects all jws versions < 3.0.0; this version (0.0.2) is well within the affected range. Fix available in 3.0.0+.

SAST Findings (2)

CRITICAL GHSA-869p-cjfg-cm3x: auth0/node-jws Improperly Verifies HMAC Signature osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N ### Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. ### Am I Affected? You are affected by this vulnerability if you meet all of the following preconditions: 1. Application uses the auth0/node-jws implementation of JSON Web Signatures, versions <=3.2.2 || 4.0.0 2. Application uses the jws.createVerify() function for HMAC algorithms 3. Application uses user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines You are NOT affected by this vulnerability if you meet any of the following preconditions: 1. Application uses the jws.verify() interface (note: `auth0/node-jsonwebtoken` users fall into this category and are therefore NOT affected by this vulnerability) 2. Application uses only asymmetric algorithms (e.g. RS256) 3. Application doesn’t use user-provided data from the JSON Web Signature Protected Header or Payload in the HMAC secret lookup routines ### Fix Upgrade auth0/node-jws version to version 3.2.3 or 4.0.1 ### Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 63. Findings: 1 critical (+40), 2 medium (+20), 1 low (+3).

Commit: c0f6b27bcea5 Browse source

Published to npm: