Please update the jose dependency

[dancrumb]

Currently, jwks-rsa depends on [email protected]

This is impacted by CVE-2021-29446.

This is addressed at jose@>=3.11.4

I tried to use the overrides property in my package.json, but that did not help.

Can you release a new version of this module with an update jose dependency, please?

[dancrumb]

Turns out, this isn't trivial. v3 of Jose is a breaking change as is v4

[adamjmcgrath]

Thanks for raising this @dancrumb

That vulnerability has been patched in [email protected] see GHSA-58f5-hfqc-jgch

[dancrumb]

Thanks for the response Adam.

However, that linked vulnerability points to CVE-2021-29443, not CVE-2021-29446.

GHSA-rvcw-f68w-8h8h is the GitHub advisory for this CVE

[adamjmcgrath]

They're for the same vulnerability

The CVE you are pointing to (CVE-2021-29446) is for jose-node-cjs-runtime which is a flavour jose that did not exist in 2.0.5 (which is why it doesn't mention 2.x in the disclosure).

The correct CVE for this vulnerability in jose (which this SDK uses) is the one I pointed to (CVE-2021-29443) - and was patched in [email protected]