Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: jsrsasign package audit issue #62

Merged

Conversation

betimer
Copy link
Contributor

@betimer betimer commented Jan 22, 2024

Fix issue with:

# npm audit report

jsrsasign  <11.0.0
Severity: high
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign - https://github.com/advisories/GHSA-rh63-9qcf-83gf
No fix available
node_modules/jsrsasign
  @apple/app-store-server-library  *
  Depends on vulnerable versions of jsrsasign
  node_modules/@apple/app-store-server-library

@@ -1,6 +1,6 @@
{
"name": "@apple/app-store-server-library",
"version": "1.0.0",
"version": "1.0.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are going to bump the version, please also bump the version in the user agent string as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexanderjordanbaker good spot. done.

@alexanderjordanbaker alexanderjordanbaker merged commit 7e70212 into apple:main Jan 25, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants