Skip to content

Address JWS CVE #8201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sameerag wants to merge 5 commits into
base: dev
Choose a base branch
from
Open

Address JWS CVE #8201

sameerag wants to merge 5 commits into from

Conversation

@sameerag
Copy link
Member

@sameerag sameerag commented Dec 11, 2025
edited
Loading

Address JWS CVE

sameerag
sameerag commented Dec 11, 2025
View reviewed changes
@sameerag sameerag marked this pull request as ready for review December 11, 2025 19:23
@sameerag sameerag requested review from a team as code owners December 11, 2025 19:23
Copilot AI review requested due to automatic review settings December 11, 2025 19:23
Copilot AI reviewed Dec 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (CVE) in the JWS library by updating the jsonwebtoken dependency from ^9.0.0 to ^9.0.3 in the @azure/msal-node package. This triggers updates to several transitive dependencies including jws (3.2.2→3.2.3 and 4.0.1), jwa (1.4.1→1.4.2 and 2.0.1), and various other packages in the dependency tree.

Key Changes

  • Updated jsonwebtoken to ^9.0.3 in lib/msal-node/package.json to address a JWS CVE
  • Package lock file reflects transitive dependency updates for security patches
  • Added beachball change file documenting the security patch

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
lib/msal-node/package.json Updated jsonwebtoken dependency version from ^9.0.0 to ^9.0.3 for CVE fix; includes formatting changes (indentation)
package-lock.json Comprehensive lock file updates reflecting jsonwebtoken upgrade and transitive dependencies (jws, jwa, js-yaml, glob, node-forge, etc.)
change/@azure-msal-node-1234ea12-daeb-4b33-893b-47e57e5c62fe.json Beachball change file documenting the patch-level security update

@microsoft-github-policy-service
Copy link
Contributor

microsoft-github-policy-service bot commented Jan 5, 2026

Reminder: This PR appears to be stale. If this PR is still a work in progress please mark as draft.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jan 5, 2026
@rasulsafa
Copy link

rasulsafa commented Jan 6, 2026

Any update on when this will be merged? @sameerag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Needs: Attention 👋 Awaiting response from the MSAL.js team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sameerag @rasulsafa @tnorling