Skip to content

Fix HIGH severity jws vulnerability (CVE-2023-35916) #2203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Seifeldin7 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix HIGH severity jws vulnerability (CVE-2023-35916) #2203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,8 @@
"pnpm": {
"overrides": {
"sentry-testkit>body-parser": "npm:[email protected]",
"sentry-testkit>express": "npm:[email protected]"
"sentry-testkit>express": "npm:[email protected]",
"jws": "3.2.3"
Copy link
Collaborator

@alexeyr-ci2 alexeyr-ci2 Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Seifeldin7 Keeping it as an override means that even if jsonwebtoken is updated in a later PR and wants a later jws version, it won't get updated automatically. Instead, my suggestion in such a case is to use overrides to update the lockfile and then restore the original package.json. The new lockfile should still satisfy it.

You could make the override something like >=3.2.3 but I think that has its own problems.

If overrides influenced our clients' resolution, it would be different, but I believe they don't.

}
Comment on lines +118 to 120
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add documentation explaining the security fix.

The PR objectives indicate that documentation updates are incomplete. For a security vulnerability (CVE-2023-35916 - improper HMAC signature verification in node-jws), add documentation describing the vulnerability and how the jws 3.2.3 override mitigates it.

Where should the security fix documentation be added (e.g., a SECURITY.md file, the README, or a docs directory)?

🤖 Prompt for AI Agents 
In package.json around lines 118 to 120, the PR updated jws to 3.2.3 as a
security override but lacks documentation; add a SECURITY.md at the repository
root (and a short pointer in README.md) that briefly describes CVE-2023-35916
(improper HMAC signature verification), lists affected versions, states that we
override/lock jws to 3.2.3 to mitigate the issue, shows the exact package.json
override snippet and upgrade/remediation steps for users, includes
references/links to the CVE and upstream patch, the PR/commit that applied the
change, and a date + contact for incident questions so consumers can verify the
fix and upgrade guidance.

⚠️ Potential issue | 🟠 Major

Add a CHANGELOG entry for the security vulnerability fix.

The PR objectives indicate that the CHANGELOG entry is incomplete. A security vulnerability fix (CVE-2023-35916) must be documented in CHANGELOG.md. Based on learnings, use the format: [PR 2203](https://github.com/shakacode/react_on_rails/pull/2203) by [Seifeldin7](https://github.com/Seifeldin7) followed by a description of the fix.

Would you like me to generate the CHANGELOG entry following the documented format?

🤖 Prompt for AI Agents 
In package.json around lines 118 to 120, the PR omitted a CHANGELOG entry
documenting the security vulnerability fix (CVE-2023-35916); add a new entry to
CHANGELOG.md using the prescribed format: include the PR link and author link
like `[PR 2203](https://github.com/shakacode/react_on_rails/pull/2203) by
[Seifeldin7](https://github.com/Seifeldin7)` followed by a concise sentence
describing the fix for CVE-2023-35916 (e.g., dependency update or patch
applied), place it under the appropriate unreleased or version heading, and save
the file.

}
}
9 changes: 5 additions & 4 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading