high severity in jsonwebtoken <=8.5.1

[huineng]

i got this warning this morning

thanks

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
No fix available
node_modules/ibm-cloud-sdk-core/node_modules/jsonwebtoken
  ibm-cloud-sdk-core  >=0.3.0
  Depends on vulnerable versions of jsonwebtoken
  node_modules/ibm-cloud-sdk-core
    @ibm-cloud/cloudant  *
    Depends on vulnerable versions of ibm-cloud-sdk-core
    node_modules/@ibm-cloud/cloudant

[dpopp07]

@huineng Thanks for the notice. I am seeing this as well. It looks like a new major release of jsonwebtoken may be required. I'm not sure yet what changes we'll need in our code to support that but I will start looking into it

[sjcotto]

Hi, any news regarding this topic? it looks no major changes are needed

[TannerS]

Also wanted to check on this, due dates to fix deps which depend on this dep by januray 5th

[dpopp07]

Hey all - this will be resolved in #225