Can you clarify what you mean "The fix to this involves updating jsonwebtoken to 9.0.0 which doesn't support versions of node below 11. This would have been fine, except that we are not using the verify function from jsonwebtoken package."?
01/05/2023, 4:05 AM
It means we will not update the dependency of that library. Cause the function that’s vulnerable isn’t used by us anyway.
So the vulnerability pointed out by npm run audit doesnt apply to us
01/05/2023, 4:24 AM
So the vulnerability isn't really a vulnerability?
And the reason to not update the dependency is because updating it would discontinue the support for node versions below 11?