Bump jsonwebtoken and firebase-admin in /backend#230
Open
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) to 9.0.0 and updates ancestor dependency [firebase-admin](https://github.com/firebase/firebase-admin-node). These dependencies need to be updated together. Updates `jsonwebtoken` from 8.1.0 to 9.0.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md">jsonwebtoken's changelog</a>.</em></p> <blockquote> <h2>9.0.0 - 2022-12-21</h2> <p><strong>Breaking changes: See <a href="https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9">Migration from v8 to v9</a></strong></p> <h3>Breaking changes</h3> <ul> <li>Removed support for Node versions 11 and below.</li> <li>The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]<a href="https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16">https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16</a>)</li> <li>RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]<a href="https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6">https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6</a>)</li> <li>Key types must be valid for the signing / verification algorithm</li> </ul> <h3>Security fixes</h3> <ul> <li>security: fixes <code>Arbitrary File Write via verify function</code> - CVE-2022-23529</li> <li>security: fixes <code>Insecure default algorithm in jwt.verify() could lead to signature validation bypass</code> - CVE-2022-23540</li> <li>security: fixes <code>Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC</code> - CVE-2022-23541</li> <li>security: fixes <code>Unrestricted key type could lead to legacy keys usage</code> - CVE-2022-23539</li> </ul> <h2>8.5.1 - 2019-03-18</h2> <h3>Bug fix</h3> <ul> <li>fix: ensure correct PS signing and verification (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/585">#585</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/e5874ae428ffc0465e6bd4e660f89f78b56a74a6">e5874ae428ffc0465e6bd4e660f89f78b56a74a6</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/585">#585</a></li> </ul> <h3>Docs</h3> <ul> <li>README: fix markdown for algorithms table (<a href="https://github.com/auth0/node-jsonwebtoken/commit/84e03ef70f9c44a3aef95a1dc122c8238854f683">84e03ef70f9c44a3aef95a1dc122c8238854f683</a>)</li> </ul> <h2>8.5.0 - 2019-02-20</h2> <h3>New Functionality</h3> <ul> <li>feat: add PS JWA support for applicable node versions (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/573">#573</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/eefb9d9c6eec54718fa6e41306bda84788df7bec">eefb9d9c6eec54718fa6e41306bda84788df7bec</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/573">#573</a></li> <li>Add complete option in jwt.verify (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/522">#522</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/8737789dd330cf9e7870f4df97fd52479adbac22">8737789dd330cf9e7870f4df97fd52479adbac22</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/522">#522</a></li> </ul> <h3>Test Improvements</h3> <ul> <li>Add tests for private claims in the payload (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/555">#555</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/5147852896755dc1291825e2e40556f964411fb2">5147852896755dc1291825e2e40556f964411fb2</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/555">#555</a></li> <li>Force use_strict during testing (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/577">#577</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/7b60c127ceade36c33ff33be066e435802001c94">7b60c127ceade36c33ff33be066e435802001c94</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/577">#577</a></li> <li>Refactor tests related to jti and jwtid (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/544">#544</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/7eebbc75ab89e01af5dacf2aae90fe05a13a1454">7eebbc75ab89e01af5dacf2aae90fe05a13a1454</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/544">#544</a></li> <li>ci: remove nsp from tests (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/569">#569</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/da8f55c3c7b4dd0bfc07a2df228500fdd050242a">da8f55c3c7b4dd0bfc07a2df228500fdd050242a</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/569">#569</a></li> </ul> <h3>Docs</h3> <ul> <li>Fix 'cert' token which isn't a cert (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/554">#554</a>) (<a href="https://github.com/auth0/node-jsonwebtoken/commit/0c24fe68cd2866cea6322016bf993cd897fefc98">0c24fe68cd2866cea6322016bf993cd897fefc98</a>), closes <a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/554">#554</a></li> </ul> <h2>8.4.0 - 2018-11-14</h2> <h3>New Functionality</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"><code>e1fa9dc</code></a> Merge pull request from GHSA-8cf7-32gw-wr33</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/5eaedbf2b01676d952336e73b4d2efba847d2d1b"><code>5eaedbf</code></a> chore(ci): remove github test actions job (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/861">#861</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/cd4163eb1407aab0b3148f91b0b9c26276b96c6b"><code>cd4163e</code></a> chore(ci): configure Github Actions jobs for Tests & Security Scanning (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/856">#856</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6"><code>ecdf6cc</code></a> fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16"><code>8345030</code></a> fix(sign&verify)!: Remove default <code>none</code> support from <code>sign</code> and <code>verify</code> met...</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/7e6a86b1c25e5fd05733c52c118848341aba1c4e"><code>7e6a86b</code></a> Upload OpsLevel YAML (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/849">#849</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/74d5719bd03993fcf71e3b176621f133eb6138c0"><code>74d5719</code></a> docs: update references vercel/ms references (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/770">#770</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/d71e383862fc735991fd2e759181480f066bf138"><code>d71e383</code></a> docs: document "invalid token" error</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/37650031fd0bac1a5b0d682bbfcf8c1705917aa9"><code>3765003</code></a> docs: fix spelling in README.md: Peak -> Peek (<a href="https://github-redirect.dependabot.com/auth0/node-jsonwebtoken/issues/754">#754</a>)</li> <li><a href="https://github.com/auth0/node-jsonwebtoken/commit/a46097e962621ab2ba718d1da6025cdeba3597c8"><code>a46097e</code></a> docs: make decode impossible to discover before verify</li> <li>Additional commits viewable in <a href="https://github.com/auth0/node-jsonwebtoken/compare/v8.1.0...v9.0.0">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a new releaser for jsonwebtoken since your current version.</p> </details> <br /> Updates `firebase-admin` from 8.12.1 to 11.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/firebase/firebase-admin-node/releases">firebase-admin's releases</a>.</em></p> <blockquote> <h2>Firebase Admin Node.js SDK v11.4.1</h2> <h3>Bug Fixes</h3> <ul> <li>fix: Update jsonwebtoken to v9.0.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2025">#2025</a>)</li> </ul> <h3>Miscellaneous</h3> <ul> <li>[chore] Release 11.4.1 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2026">#2026</a>)</li> <li>build(deps-dev): bump mocha from 10.1.0 to 10.2.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2019">#2019</a>)</li> <li>build(deps-dev): bump <code>@typescript-eslint/parser</code> from 5.42.1 to 5.47.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2020">#2020</a>)</li> <li>build(deps-dev): bump <code>@typescript-eslint/eslint-plugin</code> (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2018">#2018</a>)</li> </ul> <h2>Firebase Admin Node.js SDK v11.4.0</h2> <h3>Breaking Changes</h3> <ul> <li>change: Deprecate AutoML model support (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2013">#2013</a>)</li> </ul> <h3>New Features</h3> <ul> <li>feat(fs): preferRest app option for Firestore (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1901">#1901</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>fix(fcm): Increase batch send timeout to 15 seconds (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1999">#1999</a>)</li> <li>fix: Unregister socket timeout listener to prevent MaxListenersExceededWarning (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1993">#1993</a>)</li> </ul> <h3>Miscellaneous</h3> <ul> <li>[chore] Release 11.4.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2015">#2015</a>)</li> <li>build(deps): bump <code>@google-cloud/storage</code> from 6.6.0 to 6.8.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2008">#2008</a>)</li> <li>build(deps): bump <code>@types/node</code> from 18.11.9 to 18.11.14 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2012">#2012</a>)</li> <li>build(deps-dev): bump <code>@typescript-eslint/eslint-plugin</code> (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2009">#2009</a>)</li> <li>build(deps): bump decode-uri-component from 0.2.0 to 0.2.2 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1998">#1998</a>)</li> <li>build(deps): bump qs from 6.5.2 to 6.5.3 in /.github/actions/send-tweet (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2006">#2006</a>)</li> <li>build(deps-dev): bump eslint from 8.28.0 to 8.29.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2003">#2003</a>)</li> <li>build(deps-dev): bump <code>@types/lodash</code> from 4.14.186 to 4.14.191 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1997">#1997</a>)</li> <li>build(deps-dev): bump eslint from 8.24.0 to 8.28.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1991">#1991</a>)</li> <li>build(deps-dev): bump chai from 4.3.6 to 4.3.7 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1990">#1990</a>)</li> <li>build(deps-dev): bump sinon from 14.0.1 to 14.0.2 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1984">#1984</a>)</li> <li>build(deps-dev): bump <code>@firebase/auth-types</code> from 0.11.0 to 0.11.1 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1985">#1985</a>)</li> <li>build(deps): bump <code>@types/node</code> from 18.7.23 to 18.11.9 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1983">#1983</a>)</li> </ul> <h2>Firebase Admin Node.js SDK v11.3.0</h2> <h3>New Features</h3> <ul> <li>feat(extensions): Add extensions namespace (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1960">#1960</a>)</li> </ul> <h3>Miscellaneous</h3> <ul> <li>[chore] Release 11.3.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/1981">#1981</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/firebase/firebase-admin-node/commit/88ae832ac86bbdd015a7c859e6fa09f467391dfb"><code>88ae832</code></a> [chore] Release 11.4.1 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2026">#2026</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/ccffa139589685ad0c9c75e4a8cecf5d40b947d6"><code>ccffa13</code></a> build(deps-dev): bump mocha from 10.1.0 to 10.2.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2019">#2019</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/8c5ac0174db4293ef0c5fbb1ff3b73bac4c6f41c"><code>8c5ac01</code></a> build(deps-dev): bump <code>@typescript-eslint/parser</code> from 5.42.1 to 5.47.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2020">#2020</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/8d3501f89d2b70bdfc49b3cd99512b11116c87db"><code>8d3501f</code></a> build(deps-dev): bump <code>@typescript-eslint/eslint-plugin</code> (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2018">#2018</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/d23b1c52a801436476b6ed95699d49d1fcdb8f1e"><code>d23b1c5</code></a> fix: Update jsonwebtoken to v9.0.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2025">#2025</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/1acdb67c81e387d81353d5a9b19d36286d1e513d"><code>1acdb67</code></a> [chore] Release 11.4.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2015">#2015</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/ba5ec2e4042149cf425d2f0fccc51b37b91204fc"><code>ba5ec2e</code></a> change: Deprecate AutoML model support (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2013">#2013</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/8b8c874ee3d7cb2e36242d5200af5a2f87b47cfe"><code>8b8c874</code></a> build(deps): bump <code>@google-cloud/storage</code> from 6.6.0 to 6.8.0 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2008">#2008</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/f079949400f27233b5510b222ec5fa54492de49c"><code>f079949</code></a> build(deps): bump <code>@types/node</code> from 18.11.9 to 18.11.14 (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2012">#2012</a>)</li> <li><a href="https://github.com/firebase/firebase-admin-node/commit/d385b939bb52be060eca74c307dd175c3aa4f316"><code>d385b93</code></a> build(deps-dev): bump <code>@typescript-eslint/eslint-plugin</code> (<a href="https://github-redirect.dependabot.com/firebase/firebase-admin-node/issues/2009">#2009</a>)</li> <li>Additional commits viewable in <a href="https://github.com/firebase/firebase-admin-node/compare/v8.12.1...v11.4.1">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/szwalkowski/MarvelCharacterAppearanceManager/network/alerts). </details>
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be still under discussion. The issue was opened by dependabot[bot] and has received 0 comments.
Add a comment
Comment form would go here