drop in replace base64url due to a vulnerability#179
Conversation
|
maybe better to use |
|
b64u is not using |
|
ah yes, I see; so many tabs open I must have been looking at something else. :D |
|
Is there something in the build that makes it fail in lts/8? |
|
Thanks @panva . Looking at the error log from Travis-CI, it appears that |
|
Taking a quick look, it looks like webpack is importing it as an es6 module, with a var impl = require("b64u");
if (impl.default) {
impl = impl.default;
}Will have to determine what the better fix is long term, though. |
|
That really looks weird. Isn’t there a webpack option for this? |
|
@panva So far I can't find it. It might involve having to add babel ... which is too much to include in this PR. |
|
Great thank you @linuxwolf, any chance for a patch release on the 0.11.x track? It would immidiately fix the dependent packages without requiring a 0.12 (to be released) update. (Semver below 1.0.0 doesnt pickup minor patches) |
|
@panva Working that out today. It might be bending the semver promise, but not by much. |
|
Applying this PR on top of the latest tag only would be great. No breaking then. |
|
That's exactly what I'm doing now; I wasn't sure how far Will push to |
* chore: replace base64url with b64u (#179) * Release 0.11.1
|
base64url@3.0.0 got released 🤦♂️ |
|
(I wonder if @vladikoff had anything to do with this ... 😛 ) Glad they updated; is it worth going back at some point in the future? |
|
With the next patch I will, just so that my software uses more used/watched dependencies and with that ends up with cleaner dependency trees. For node-jose, your call. |
|
@linuxwolf I also had the same problem as mentioned in #179 (comment) I'm leaning towards using base64url@3.0.0 but up to you |
Hi @linuxwolf,
the base64url package has a found vulnerability currently reported by snyk and other tools. The report history shows attempts to contact the maintainer for a fix with no success since march 2017.
b64u is a drop-in replacement with the vulnerability fixed. It'd be great if you could fast-forward a patch release with this fix.
Also, there was a forgotten .only in the test suite.