Security Vulnerability: Upgrade jsonwebtoken dependency due to vulnerable ring crate #72
Description
The propelauth crate currently depends on jsonwebtoken version 8.3.0, which in turn relies on ring version 0.16.20. A recent security advisory (RUSTSEC-2025-0009) has identified that ring version 0.16.20 may panic under certain circumstances when overflow checking is enabled, specifically involving AES functions.
Dependency Chain:
ring 0.16.20
└── jsonwebtoken 8.3.0
└── propelauth 0.23.0
Crate: ring
Version: 0.16.20
Title: Some AES functions may panic when overflow checking is enabled.
Date: 2025-03-06
ID: RUSTSEC-2025-0009
URL: https://rustsec.org/advisories/RUSTSEC-2025-0009
Solution: Upgrade to >=0.17.12
Dependency tree:
ring 0.16.20
└── jsonwebtoken 8.3.0
└── propelauth 0.23.0
└── shiftcontrol-saas-service-api 0.6.12
Recommended Solution:
The recommended fix is to upgrade the dependency on jsonwebtoken to version >=9.0, as it depends on the secure version of ring (>=0.17.12). However, it's acknowledged that jsonwebtoken v9.x introduces breaking changes according @mrmauer here: #61 (review)
Impact:
Users of propelauth currently experience issues with cargo audit, and staying on the outdated ring version could pose security risks.
Request:
Please address this security concern by upgrading jsonwebtoken to a secure version (v9.x). If breaking changes complicate an immediate upgrade, guidance or a timeline on when this upgrade can be expected would be helpful.