Skip to content

fix: Moving @types/express to dev and re generating package lock#464

Merged
cschetan77 merged 5 commits intomasterfrom
fix/SDK-7483
Jan 13, 2026
Merged

fix: Moving @types/express to dev and re generating package lock#464
cschetan77 merged 5 commits intomasterfrom
fix/SDK-7483

Conversation

@cschetan77
Copy link
Copy Markdown
Contributor

@cschetan77 cschetan77 commented Jan 9, 2026
edited
Loading

Description

Changes -

  • Moved @typeps/express from main dependency to dev dependency.
  • Updated package lock file.

@types/express has no usage in the SDK's type def file. The minimal types needed from express-jwt are custom defined.

References

FIxes #423 #446 #428 #436

Testing

  • jwks-rsa package should not install @types/express and its associated transitive dependencies.
  • typescript compilation should not fail when consuming expressJwtSecret.

@cschetan77 cschetan77 requested a review from a team as a code owner January 9, 2026 09:33
semgrepcode-auth0[bot]
semgrepcode-auth0 bot reviewed Jan 9, 2026
View reviewed changes
package-lock.json
"dev": true,
"license": "MIT"
},
"node_modules/express-jwt-v6/node_modules/jsonwebtoken": {
Copy link
Copy Markdown

@semgrepcode-auth0 semgrepcode-auth0 bot Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at node-jwks-rsa/package-lock.json:2306.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

🧁 Fixed in commit 6a5d56a 🧁

semgrepcode-auth0[bot]
semgrepcode-auth0 bot reviewed Jan 9, 2026
View reviewed changes
package-lock.json
"dev": true,
"license": "MIT"
},
"node_modules/express-jwt-v6/node_modules/jsonwebtoken": {
Copy link
Copy Markdown

@semgrepcode-auth0 semgrepcode-auth0 bot Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at node-jwks-rsa/package-lock.json:2306.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

🥳 Fixed in commit 6a5d56a 🥳

@cschetan77 cschetan77 mentioned this pull request Jan 9, 2026
Closed
This was referenced Jan 13, 2026
Closed
Closed
Closed
This was linked to issues Jan 13, 2026
Express 5 support #436
Closed
jwks-rsa introduces deprecated @types/mime package (mime now provides its own types) #446
Closed
@cschetan77 cschetan77 merged commit ae1df31 into master Jan 13, 2026
12 checks passed
@cschetan77 cschetan77 deleted the fix/SDK-7483 branch January 13, 2026 13:59
@cschetan77 cschetan77 mentioned this pull request Jan 15, 2026
Merged
@cschetan77 cschetan77 mentioned this pull request Jan 23, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nandan-bhat nandan-bhat nandan-bhat approved these changes

+1 more reviewer

@semgrepcode-auth0 semgrepcode-auth0[bot] semgrepcode-auth0[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@cschetan77 @nandan-bhat