Security warning reported on firebase/php-jwt

[Rudy1976Lympha]

Hello
today we were updating our application ( which is actually using mixerapi for api and JWT authentication ) and composer reported a security problem regarding firebase/jwt

We checked out packagist and it seems the only version where the problem has been addressed and resolved is 7.0, but this collides with constraints of your plugin, which cannot allow it.

Problem 1
    - Root composer.json requires mixerapi/jwt-auth 2.* -> satisfiable by mixerapi/jwt-auth[v2.0.0, ..., v2.0.6].
    - mixerapi/jwt-auth[v2.0.0, ..., v2.0.6] require firebase/php-jwt ^6.2 -> found firebase/php-jwt[v6.2.0, ..., v6.11.1] but it conflicts with your root composer.json require (7.0.0).

We are currently using your stack with the following:

 "mixerapi/bake": "2.*",
  "mixerapi/crud": "2.*",
  "mixerapi/jwt-auth": "2.*",
  "mixerapi/mixerapi": "2.*",

Is there something we can do? We are actually using your plugin ( with satisfaction I can say ) in multiple production environments.

Thanks in advance

Rudy

[cnizzardini]

Hey @Rudy1976Lympha thanks for the report on this. I moved this issue from mixerapi to mixerapi-dev repository as this is where the development actually occurs.

I did a very quick cursory look at the dependencies involved:

• https://github.com/cakephp/authentication/blob/4.x/composer.json
• https://github.com/firebase/php-jwt/blob/v7.0.0/composer.json
• https://github.com/mixerapi/mixerapi-dev/blob/master/plugins/jwt-auth/composer.json

The sticking point is in mixerapi-dev I have ^3.0 set for cake authentication. I am not certain why I locked to that specific version and that change was quite long ago.... https://github.com/mixerapi/mixerapi-dev/commits/master/plugins/jwt-auth/composer.json

If you want, submit a PR within this repository that bumps that to ^4.0. Its a mono-repo so you have to make this change in two composer.json files:

• https://github.com/mixerapi/mixerapi-dev/blob/master/plugins/jwt-auth/composer.json
• https://github.com/mixerapi/mixerapi-dev/blob/master/composer.json

Or you can wait for me to get around to it which might not happen until this weekend.

[cnizzardini]

To be clear. MixerAPI is likely not impacted by this CVE as the the MixerAPI/JwtAuth plugin enforced strong HMAC and RSA key lengths. I will still upgrade this package to clear the false alarms.