fix: Upgrade jsonwebtoken to address CVE-2022-23540 (#5116)

packages/cli/package.json

@@ -72,7 +72,7 @@
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/json-diff": "^0.5.1",
-    "@types/jsonwebtoken": "^8.5.2",
+    "@types/jsonwebtoken": "^9.0.0",
     "@types/localtunnel": "^1.9.0",
     "@types/lodash.get": "^4.4.6",
     "@types/lodash.intersection": "^4.4.7",
@@ -144,7 +144,7 @@
     "ioredis": "^5.2.4",
     "json-diff": "^0.5.4",
     "jsonschema": "^1.4.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "jwks-rsa": "~1.12.1",
     "localtunnel": "^2.0.0",
     "lodash.get": "^4.4.2",

packages/cli/src/UserManagement/auth/jwt.ts

@@ -27,6 +27,7 @@ export function issueJWT(user: User): JwtToken {
 
 	const signedToken = jwt.sign(payload, config.getEnv('userManagement.jwtSecret'), {
 		expiresIn: expiresIn / 1000 /* in seconds */,
+		algorithm: 'HS256',
 	});
 
 	return {
@@ -57,7 +58,9 @@ export async function resolveJwtContent(jwtPayload: JwtPayload): Promise<User> {
 }
 
 export async function resolveJwt(token: string): Promise<User> {
-	const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret')) as JwtPayload;
+	const jwtPayload = jwt.verify(token, config.getEnv('userManagement.jwtSecret'), {
+		algorithms: ['HS256'],
+	}) as JwtPayload;
 	return resolveJwtContent(jwtPayload);
 }