Home > database >  NPM Audit Fix wants to downgrade a package
NPM Audit Fix wants to downgrade a package

Time:01-04

We received an NPM Audit warning about jsonwebtoken <= 8.5.1. The suggested fix was to upgrade mssql to 7.2.0. Instead, we removed mssql with npm remove mssql and re-installed it to get the latest version npm i -D mssql => 9.0.1.

However, NPM Audit still complains and wants to install [email protected].

Why is NPM Audit requiring a downgrade?

$ npm audit --registry=https://registry.npmjs.org/ 

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken
  @azure/msal-node  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@azure/msal-node
    @azure/identity  >=1.2.0-alpha.20200903.1
    Depends on vulnerable versions of @azure/msal-node
    node_modules/@azure/identity
      tedious  >=11.0.9
      Depends on vulnerable versions of @azure/identity
      node_modules/tedious
        mssql  >=7.2.1
        Depends on vulnerable versions of tedious
        node_modules/mssql

5 vulnerabilities (4 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Here is the dependency graph:

  • "mssql": "9.0.1"
    • "tedious": "^15.0.1" (15.1.2)
      • "@azure/identity": "^2.0.4"
        • "@azure/msal-node": "^1.10.0"
          • "jsonwebtoken": "^8.5.1"

We have no other libraries which depend on jsonwebtoken.

package.json

{
  "dependencies": {
    "express": "^4.18.1",
    "flatted": "^3.1.1",
    "http-proxy-middleware": "^2.0.6",
    "log-timestamp": "^0.3.0",
    "node-fetch": "^2.6.1",
    "nodemon": "^2.0.20",
    "sha1-hex": "^1.0.0"
  },
  "devDependencies": {
    "@types/jest": "^26.0.3",
    "eslint": "^7.7.0",
    "eslint-config-strongloop": "^2.1.0",
    "jest": "^28.1.3",
    "jest-junit": "^8.0.0",
    "mssql": "^9.0.1"
  }
}

CodePudding user response:

The issue is that all versions of @azure/msal-node depends on [email protected]. However this dependency seems to have been added in mssql >7.2.0. So downgrading to [email protected] removes the dependence on @azure/msal-node and subsequently the vulnerable version of jsonwebtoken.

  • Related