fix: bump jsonwebtoken to v9.0.0

fixes #342

It introduces several security fixes to follow best practices.

.github/workflows/build.yml

@@ -10,10 +10,10 @@ jobs:
   build:
     runs-on: 'ubuntu-latest'
     steps:
-      - uses: 'actions/checkout@v3.0.0'
+      - uses: 'actions/checkout@v3.3.0'
 
       - name: 'Use Node.js'
-        uses: 'actions/setup-node@v3.1.0'
+        uses: 'actions/setup-node@v3.6.0'
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -23,3 +23,5 @@ jobs:
 
       - name: 'Build'
         run: 'npm run build'
+
+      - run: 'npm run build:typescript'

.github/workflows/lint.yml

@@ -10,10 +10,10 @@ jobs:
   lint:
     runs-on: 'ubuntu-latest'
     steps:
-      - uses: 'actions/checkout@v3.0.0'
+      - uses: 'actions/checkout@v3.3.0'
 
       - name: 'Use Node.js'
-        uses: 'actions/setup-node@v3.1.0'
+        uses: 'actions/setup-node@v3.6.0'
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -24,5 +24,5 @@ jobs:
       - run: 'npm run lint:commit -- --to "${{ github.sha }}"'
       - run: 'npm run lint:editorconfig'
       - run: 'npm run lint:markdown'
-      - run: 'npm run lint:typescript'
+      - run: 'npm run lint:eslint'
       - run: 'npm run lint:prettier'

.github/workflows/release.yml

@@ -8,10 +8,10 @@ jobs:
   release:
     runs-on: 'ubuntu-latest'
     steps:
-      - uses: 'actions/checkout@v3.0.0'
+      - uses: 'actions/checkout@v3.3.0'
 
       - name: 'Use Node.js'
-        uses: 'actions/setup-node@v3.1.0'
+        uses: 'actions/setup-node@v3.6.0'
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -22,6 +22,8 @@ jobs:
       - name: 'Build Package'
         run: 'npm run build'
 
+      - run: 'npm run build:typescript'
+
       - name: 'Release'
         run: 'npm run release'
         env:

.github/workflows/test.yml

@@ -10,10 +10,10 @@ jobs:
   test:
     runs-on: 'ubuntu-latest'
     steps:
-      - uses: 'actions/checkout@v3.0.0'
+      - uses: 'actions/checkout@v3.3.0'
 
       - name: 'Use Node.js'
-        uses: 'actions/setup-node@v3.1.0'
+        uses: 'actions/setup-node@v3.6.0'
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -26,6 +26,3 @@ jobs:
 
       - name: 'Test'
         run: 'npm run test'
-
-      - name: 'Upload Coverage'
-        uses: 'codecov/codecov-action@v3.0.0'

.husky/pre-commit

@@ -3,3 +3,4 @@
 
 npm run lint:staged
 npm run build
+npm run build:typescript

.lintstagedrc.json

@@ -2,5 +2,5 @@
   "*": ["editorconfig-checker"],
   "*.{js,jsx,ts,tsx}": ["prettier --write", "eslint --fix"],
   "*.{json,jsonc,yml,yaml}": ["prettier --write"],
-  "*.{md}": ["prettier --write", "markdownlint --dot --fix"]
+  "*.{md,mdx}": ["prettier --write", "markdownlint-cli2 --fix"]
 }

.markdownlint-cli2.jsonc

@@ -0,0 +1,5 @@
+{
+  "globs": ["**/*.{md,mdx}"],
+  "ignores": ["**/node_modules"],
+  "customRules": ["markdownlint-rule-relative-links"]
+}

.markdownlint.json

@@ -1,7 +1,7 @@
 {
   "default": true,
-  "MD013": false,
-  "MD024": false,
+  "relative-links": true,
+  "extends": "markdownlint/style/prettier",
   "MD033": false,
   "MD041": false
 }

.swcrc

@@ -2,21 +2,11 @@
   "jsc": {
     "parser": {
       "syntax": "typescript",
-      "decorators": true,
       "dynamicImport": true
     },
-    "transform": {
-      "legacyDecorator": true,
-      "decoratorMetadata": true
-    },
-    "target": "es2022",
-    "loose": true
+    "target": "es2022"
   },
   "module": {
-    "type": "es6",
-    "strict": false,
-    "strictMode": true,
-    "lazy": false,
-    "noInterop": false
+    "type": "es6"
   }
 }

.vscode/settings.json

@@ -6,5 +6,6 @@
   "editor.formatOnSave": true,
   "editor.codeActionsOnSave": {
     "source.fixAll": true
-  }
+  },
+  "eslint.options": { "ignorePath": ".gitignore" }
 }

README.md

@@ -12,7 +12,6 @@
   <a href="https://github.com/Thream/socketio-jwt/actions/workflows/build.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/build.yml/badge.svg?branch=develop" /></a>
   <a href="https://github.com/Thream/socketio-jwt/actions/workflows/lint.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/lint.yml/badge.svg?branch=develop" /></a>
   <a href="https://github.com/Thream/socketio-jwt/actions/workflows/test.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/test.yml/badge.svg?branch=develop" /></a>
-  <a href="https://codecov.io/gh/Thream/socketio-jwt"><img src="https://codecov.io/gh/Thream/socketio-jwt/branch/develop/graph/badge.svg" alt="codecov" /></a>
   <br />
   <a href="https://conventionalcommits.org"><img src="https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg" alt="Conventional Commits" /></a>
   <a href="https://github.com/semantic-release/semantic-release"><img src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg" alt="semantic-release" /></a>
@@ -133,7 +132,7 @@ io.on('connection', async (socket) => {
 
 ```ts
 import { io } from 'socket.io-client'
-import { isUnauthorizedError } from '@thream/socketio-jwt'
+import { isUnauthorizedError } from '@thream/socketio-jwt/build/UnauthorizedError.js'
 
 // Require Bearer Token
 const socket = io('http://localhost:9000', {

package.json

@@ -31,12 +31,13 @@
   },
   "homepage": "https://github.com/Thream/socketio-jwt#readme",
   "scripts": {
-    "build": "rimraf ./build && swc ./src --out-dir ./build && tsc",
+    "build": "rimraf ./build && swc ./src --out-dir ./build",
     "build:dev": "swc ./src --out-dir ./build --watch",
+    "build:typescript": "tsc",
     "lint:commit": "commitlint",
     "lint:editorconfig": "editorconfig-checker",
-    "lint:markdown": "markdownlint \"**/*.md\" --dot --ignore-path \".gitignore\"",
-    "lint:typescript": "eslint \"**/*.{js,jsx,ts,tsx}\" --ignore-path \".gitignore\"",
+    "lint:markdown": "markdownlint-cli2",
+    "lint:eslint": "eslint \"**/*.{js,jsx,ts,tsx}\" --ignore-path \".gitignore\"",
     "lint:prettier": "prettier \".\" --check --ignore-path \".gitignore\"",
     "lint:staged": "lint-staged",
     "test": "c8 tap",
@@ -49,39 +50,41 @@
     "socket.io": ">=3.0.0"
   },
   "dependencies": {
-    "jsonwebtoken": "8.5.1"
+    "jsonwebtoken": "9.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "16.2.3",
-    "@commitlint/config-conventional": "16.2.1",
+    "@commitlint/cli": "17.4.1",
+    "@commitlint/config-conventional": "17.4.0",
     "@swc/cli": "0.1.57",
-    "@swc/core": "1.2.164",
-    "@types/jsonwebtoken": "8.5.8",
-    "@types/node": "17.0.23",
-    "@types/tap": "15.0.6",
-    "@typescript-eslint/eslint-plugin": "5.18.0",
-    "@typescript-eslint/parser": "5.18.0",
-    "axios": "0.26.1",
-    "c8": "7.11.0",
+    "@swc/core": "1.3.25",
+    "@tsconfig/strictest": "1.0.2",
+    "@types/jsonwebtoken": "9.0.0",
+    "@types/node": "18.11.18",
+    "@types/tap": "15.0.7",
+    "@typescript-eslint/eslint-plugin": "5.48.1",
+    "@typescript-eslint/parser": "5.48.1",
+    "axios": "1.2.2",
+    "c8": "7.12.0",
     "editorconfig-checker": "4.0.2",
-    "eslint": "8.12.0",
-    "eslint-config-conventions": "2.0.0",
-    "eslint-config-prettier": "8.5.0",
+    "eslint": "8.31.0",
+    "eslint-config-conventions": "6.0.0",
+    "eslint-config-prettier": "8.6.0",
     "eslint-plugin-import": "2.26.0",
-    "eslint-plugin-prettier": "4.0.0",
-    "eslint-plugin-promise": "6.0.0",
-    "eslint-plugin-unicorn": "42.0.0",
-    "fastify": "3.28.0",
-    "husky": "7.0.4",
-    "lint-staged": "12.3.7",
-    "markdownlint-cli": "0.31.1",
+    "eslint-plugin-prettier": "4.2.1",
+    "eslint-plugin-promise": "6.1.1",
+    "eslint-plugin-unicorn": "45.0.2",
+    "fastify": "4.11.0",
+    "husky": "8.0.3",
+    "lint-staged": "13.1.0",
+    "markdownlint-cli2": "0.6.0",
+    "markdownlint-rule-relative-links": "1.1.1",
     "pinst": "3.0.0",
-    "prettier": "2.6.2",
+    "prettier": "2.8.2",
     "rimraf": "3.0.2",
-    "semantic-release": "19.0.2",
-    "socket.io": "4.4.1",
-    "socket.io-client": "4.4.1",
-    "tap": "16.0.1",
-    "typescript": "4.6.3"
+    "semantic-release": "20.0.2",
+    "socket.io": "4.5.4",
+    "socket.io-client": "4.5.4",
+    "tap": "16.3.3",
+    "typescript": "4.9.4"
   }
 }

src/__test__/authorize.test.ts

@@ -1,15 +1,16 @@
 import tap from 'tap'
 import axios from 'axios'
-import { io, Socket } from 'socket.io-client'
+import type { Socket } from 'socket.io-client'
+import { io } from 'socket.io-client'
 
 import { isUnauthorizedError } from '../UnauthorizedError.js'
+import type { Profile } from './fixture/index.js'
 import {
   API_URL,
   fixtureStart,
   fixtureStop,
   getSocket,
-  basicProfile,
-  Profile
+  basicProfile
 } from './fixture/index.js'
 
 export const api = axios.create({

src/__test__/fixture/index.ts

@@ -1,8 +1,10 @@
 import jwt from 'jsonwebtoken'
 import { Server as SocketIoServer } from 'socket.io'
-import fastify, { FastifyInstance } from 'fastify'
+import type { FastifyInstance } from 'fastify'
+import fastify from 'fastify'
 
-import { authorize, AuthorizeOptions } from '../../index.js'
+import type { AuthorizeOptions } from '../../index.js'
+import { authorize } from '../../index.js'
 
 interface FastifyIo {
   instance: SocketIoServer
@@ -67,7 +69,9 @@ export const fixtureStart = async (
   application.addHook('onClose', (fastify) => {
     fastify.io.instance.close()
   })
-  await application.listen(PORT)
+  await application.listen({
+    port: PORT
+  })
 }
 
 export const fixtureStop = async (): Promise<void> => {

src/authorize.ts

@@ -1,5 +1,6 @@
-import jwt, { Algorithm } from 'jsonwebtoken'
-import { Socket } from 'socket.io'
+import type { Algorithm } from 'jsonwebtoken'
+import jwt from 'jsonwebtoken'
+import type { Socket } from 'socket.io'
 
 import { UnauthorizedError } from './UnauthorizedError.js'
 

tsconfig.json

@@ -1,4 +1,5 @@
 {
+  "extends": "@tsconfig/strictest/tsconfig.json",
   "compilerOptions": {
     "target": "ESNext",
     "module": "ESNext",
@@ -7,9 +8,6 @@
     "outDir": "./build",
     "rootDir": "./src",
     "emitDeclarationOnly": true,
-    "declaration": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "esModuleInterop": true
+    "declaration": true
   }
 }