You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 13, 2026. It is now read-only.
Can you please fix the security issue of jsonwebtoken package by updating it to v9.0.0. There is no break change AFAIK.
# npm audit report
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
No fix available
node_modules/jsonwebtoken
@elastic/app-search-node *
Depends on vulnerable versions of jsonwebtoken
node_modules/@elastic/app-search-node
2 vulnerabilities (1 moderate, 1 high)
Hi,
Can you please fix the security issue of jsonwebtoken package by updating it to v9.0.0. There is no break change AFAIK.
Thank you.