Skip to content

Jws CG fix - AppCenterTestV1#21975

Open
v-gayatrij wants to merge 1 commit intomasterfrom
users/v-gayjaiswal/jws-cg-fix-appcentertest
Open

Jws CG fix - AppCenterTestV1#21975
v-gayatrij wants to merge 1 commit intomasterfrom
users/v-gayjaiswal/jws-cg-fix-appcentertest

Conversation

@v-gayatrij
Copy link
Copy Markdown
Contributor

@v-gayatrij v-gayatrij commented Apr 9, 2026

Context

AB#2339822
CG Alert 342212

Vulnerability reported in jws 3.2.2 (CVE-2025-65945, High severity).
jws 3.2.2 is pulled in transitively via appcenter-cli -> jsonwebtoken -> jws.
Safe version: jws 3.2.3 or 4.0.1

Task Name

AppCenterTestV1

Description

Regenerate package-lock.json to resolve jws to 3.2.3 (safe version) for CVE-2025-65945.

Risk Assessment (Low / Medium / High)

Low

Change Behind Feature Flag (Yes / No)

No - dependency version update only

Tech Design / Approach

  • Deleted package-lock.json and ran npm install to regenerate with safe jws version.

Documentation Changes Required (Yes/No)

No

Unit Tests Added or Updated (Yes / No)

No - dependency update only, no code changes

Additional Testing Performed

Verified jws resolves to 3.2.3 in regenerated lock file.

Logging Added/Updated (Yes/No)

No

Telemetry Added/Updated (Yes/No)

No

Rollback Scenario and Process (Yes/No)

Revert the package-lock.json changes.

Dependency Impact Assessed and Regression Tested (Yes/No)

Yes - only transitive dependency version changed to patch release.

Checklist

  • Related issue linked (if applicable)
  • Task version was bumped
  • Verified the task behaves as expected

@v-gayatrij
Fix jws CG vulnerability in AppCenterTestV1
e0d8a06 
Regenerate package-lock.json to resolve jws to 3.2.3 (safe version)
for CVE-2025-65945. Bump task patch version.

AB#2339822
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 9, 2026

Azure Pipelines:
Successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imenkov imenkov Awaiting requested review from imenkov imenkov is a code owner

@lucen-ms lucen-ms Awaiting requested review from lucen-ms lucen-ms is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@v-gayatrij