Security: Fix auth0/node-jws HMAC signature verification vulnerability

Gerkinfeltser · claude · Gerkinfeltser · commit 92be2061b41e · 2025-12-04T22:46:26.000-06:00
- Upgrade jws from 3.2.2 to 3.2.3 to patch GHSA-869p-cjfg-cm3x - Update jwa dependency to 1.4.2 as part of security fix - Bump version to 0.1.3 for security release - Update CHANGELOG.md with security details and README improvements 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,17 @@ All notable changes to the "Image Metadata Inspector" extension will be document
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.3] - 2025-12-04
+
+### Fixed
+- **Security:** Fixed auth0/node-jws HMAC signature verification vulnerability (GHSA-869p-cjfg-cm3x) by upgrading jws from 3.2.2 to 3.2.3
+- **Security:** Updated jwa dependency from 1.4.1 to 1.4.2 as part of the security fix
+
+### Changed
+- Updated jws dependency to version 3.2.3 to address timing attack vulnerability in HMAC signature verification
+- Enhanced README with corrected Linux package names and improved troubleshooting section for non-Windows platforms
+- This upgrade patches the HMAC signature timing attack vulnerability in the jws library
+
 ## [0.1.2] - 2025-11-17
 
 ### Fixed
@@ -58,6 +69,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Command palette support
 - JSON prettification for metadata display
 
+[0.1.3]: https://github.com/Gerkinfeltser/image-metadata-display/compare/v0.1.2...v0.1.3
+[0.1.2]: https://github.com/Gerkinfeltser/image-metadata-display/compare/v0.1.1...v0.1.2
 [0.1.1]: https://github.com/Gerkinfeltser/image-metadata-display/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/Gerkinfeltser/image-metadata-display/compare/v0.0.5...v0.1.0
 [0.0.5]: https://github.com/Gerkinfeltser/image-metadata-display/compare/v0.0.4...v0.0.5
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,18 +1,18 @@
 {
   "name": "image-metadata-inspector",
-  "displayName": "Image Metadata Inspector", 
+  "displayName": "Image Metadata Inspector",
   "description": "Inspect and display metadata of JPG, PNG, and WebP images. Perfect for ComfyUI workflows.",
   "repository": {
     "type": "git",
     "url": "https://github.com/Gerkinfeltser/image-metadata-display.git"
   },
-  "version": "0.1.2",
+  "version": "0.1.3",
   "publisher": "Gerkinfeltser",
   "icon": "images/image_metadata_viewer_icon.png",
   "license": "MIT",
   "keywords": [
     "metadata",
-    "exif", 
+    "exif",
     "image",
     "comfyui",
     "workflow",
@@ -75,6 +75,7 @@
     "typescript": "^5.3.3"
   },
   "dependencies": {
-    "exiftool-vendored": "^24.6.0"
+    "exiftool-vendored": "^24.6.0",
+    "jws": "^3.2.3"
   }
-}
+}
