Bump jsonwebtoken and twilio
Created by: dependabot[bot]
Bumps jsonwebtoken to 9.0.1 and updates ancestor dependency twilio. These dependencies need to be updated together.
Updates jsonwebtoken
from 8.5.1 to 9.0.1
Changelog
Sourced from jsonwebtoken's changelog.
9.0.1 - 2023-07-05
- fix(stubs): allow decode method to be stubbed
9.0.0 - 2022-12-21
Breaking changes: See Migration from v8 to v9
Breaking changes
- Removed support for Node versions 11 and below.
- The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
- RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
- Key types must be valid for the signing / verification algorithm
Security fixes
- security: fixes
Arbitrary File Write via verify function
- CVE-2022-23529- security: fixes
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
- CVE-2022-23540- security: fixes
Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- CVE-2022-23541- security: fixes
Unrestricted key type could lead to legacy keys usage
- CVE-2022-23539
Commits
-
84539b2
Updating package version to 9.0.1 (#920) -
a99fd4b
fix(stubs): allow decode method to be stubbed (#876) -
e1fa9dc
Merge pull request from GHSA-8cf7-32gw-wr33 -
5eaedbf
chore(ci): remove github test actions job (#861) -
cd4163e
chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856) -
ecdf6cc
fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr... -
8345030
fix(sign&verify)!: Remove defaultnone
support fromsign
andverify
met... -
7e6a86b
Upload OpsLevel YAML (#849) -
74d5719
docs: update references vercel/ms references (#770) -
d71e383
docs: document "invalid token" error - Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by jake.lacey, a new releaser for jsonwebtoken since your current version.
Updates twilio
from 3.84.1 to 4.19.0
Release notes
Sourced from twilio's releases.
4.19.0
Release Notes
Library - Chore
- [PR #966](twilio/twilio-node#966): upgraded semver versions. Thanks to
@sbansla
!- [PR #964](twilio/twilio-node#964): added feature request issue template. Thanks to
@sbansla
!Accounts
- Updated Safelist metadata to correct the docs.
- Add Global SafeList API changes
Api
- Added optional parameter
CallToken
for create participant apiFlex
- Adding
offline_config
to Flex ConfigurationIntelligence
- Deleted
redacted
parameter from fetching transcript in v2 (breaking change)Lookups
- Add new
phone_number_quality_score
package to the lookup response- Remove
disposable_phone_number_risk
package (breaking change)Messaging
- Update US App To Person documentation with current
message_samples
requirementsTaskrouter
- Remove beta_feature check on task_queue_bulk_real_time_statistics endpoint
- Add
virtual_start_time
property to tasks- Updating
task_queue_data
format frommap
toarray
in the response of bulk get endpoint of TaskQueue Real Time Statistics API (breaking change)4.18.1
Release Notes
Library - Fix
- [PR #961](twilio/twilio-node#961): update security method validatessl. Thanks to
@AsabuHere
!Lookups
- Add test api support for Lookup v2
4.18.0
Release Notes
... (truncated)
Changelog
Sourced from twilio's changelog.
[2023-10-19] Version 4.19.0
Library - Chore
- [PR #966](twilio/twilio-node#966): upgraded semver versions. Thanks to
@sbansla
!- [PR #964](twilio/twilio-node#964): added feature request issue template. Thanks to
@sbansla
!Accounts
- Updated Safelist metadata to correct the docs.
- Add Global SafeList API changes
Api
- Added optional parameter
CallToken
for create participant apiFlex
- Adding
offline_config
to Flex ConfigurationIntelligence
- Deleted
redacted
parameter from fetching transcript in v2 (breaking change)Lookups
- Add new
phone_number_quality_score
package to the lookup response- Remove
disposable_phone_number_risk
package (breaking change)Messaging
- Update US App To Person documentation with current
message_samples
requirementsTaskrouter
- Remove beta_feature check on task_queue_bulk_real_time_statistics endpoint
- Add
virtual_start_time
property to tasks- Updating
task_queue_data
format frommap
toarray
in the response of bulk get endpoint of TaskQueue Real Time Statistics API (breaking change)[2023-10-05] Version 4.18.1
Library - Fix
- [PR #961](twilio/twilio-node#961): update security method validatessl. Thanks to
@AsabuHere
!Lookups
- Add test api support for Lookup v2
[2023-09-21] Version 4.18.0
Conversations
- Enable conversation email bindings, email address configurations and email message subjects
Flex
- Adding
console_errors_included
to Flex Configuration fielddebugger_integrations
- Introducing new channel status as
inactive
in modify channel endpoint for leave functionality (breaking change)- Adding
citrix_voice_vdi
to Flex Configuration
... (truncated)
Upgrade guide
Sourced from twilio's upgrade guide.
Upgrade Guide
All
MAJOR
version bumps will have upgrade notes posted here.[2023-01-25] 3.x.x to 4.x.x
- Supported Node.js versions updated
- Lazy loading enabled by default (#752)
- Required Twilio modules now lazy load by default
- See the README for how to disable lazy loading
- Type changes from
object
toRecord
(#873)
- Certain response properties now use the
Record
type withstring
keys- Including the
subresourceUris
property for v2010 APIs and thelinks
properties for non-v2010 APIs- Access Tokens
- Creating an AccessToken requires an
identity
in the options (#875)ConversationsGrant
has been deprecated in favor ofVoiceGrant
(#783)IpMessagingGrant
has been removed (#784)- TwiML function deprecations (#788)
<Refer>
Refer.referSip()
replaced byRefer.sip()
<Say>
Say.ssmlBreak()
andSay.break_()
replaced bySay.break()
Say.ssmlEmphasis()
replaced bySay.emphasis()
Say.ssmlLang()
replaced bySay.lang()
Say.ssmlP()
replaced bySay.p()
Say.ssmlPhoneme()
replaced bySay.phoneme()
Say.ssmlProsody()
replaced bySay.prosody()
Say.ssmlS()
replaced bySay.s()
Say.ssmlSayAs()
replaced bySay.sayAs()
Say.ssmlSub()
replaced bySay.sub()
Say.ssmlW()
replaced bySay.w()
Old:
const response = new VoiceResponse(); const say = response.say("Hello"); say.ssmlEmphasis("you");
New:
const response = new VoiceResponse(); const say = response.say("Hello");
... (truncated)
Commits
-
de63541
Release 4.19.0 -
b86e2e0
[Librarian] Regenerated @ 922c1fef02b8c8fbbbe2315aa9b9d1dba49f3fc0 -
ed8ad97
chore: upgraded semver versions (#966) -
75361b2
chore: added feature request issue template (#964) -
a23ee16
Release 4.18.1 -
0ccd7ca
[Librarian] Regenerated @ a25fe2e20ee404d8f8642d6e5acceff276916c9e -
316114b
fix: update security method validatessl (#961) -
392fedd
Release 4.18.0 -
4af092a
[Librarian] Regenerated @ c9ac9b9736431d573d8dec29ad3095eee969cdea -
b39e374
Release 4.17.0 - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.