jose dependency is vulnerable moderate #3238
Comments
|
Do we have news here? It's annoying to manually set overrides while using newman cli in our project. |
|
We can workaround it by using the version 6.2.0 of newman. It uses the [email protected] which uses [email protected] that doesn't have the vulnerability. |
|
Confirmed 6.2.0 fixes this. Weird thing is that 6.2.1 does not. Is this a regression in dependencies? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
yarn audit show this output jose dependency is vulnerable is it possible to upgrade or replace it ?
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ jose vulnerable to resource exhaustion via specifically │
│ │ crafted JWE with compressed plaintext │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ jose │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.15.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ newman > postman-runtime > jose │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1096835
The text was updated successfully, but these errors were encountered: