Using jwt-express in Forest app template

When upgrading Liana express 6.1 → 6.7.2 a new error prevents the server from starting up.
This error is due to the main app doing this:

    secret: process.env.FOREST_AUTH_SECRET,
    credentialsRequired: false,

While the usage of the “jwt-express” in version 5 allows this, version 6 forces the usage of an algorithem specification (to handle security vulnerability). This is the cause for the error.

My questions is:

  • This code appears in the latest lumber templates - but is it required? What for? forest-express uses jwt-express 6 internally already.

  • The template did not have a dependency on jwt-express - assuming the internal dependency from forest-express is enough. not the template syntax is not compatible with 6. Should we keep this code like this and depend on 5 directly? Or should we remove this code? upgrade it to be compatible with 6?
    The template now HAS a dependency since this commit:
    But it’s still a 5. So the vulnerability is still there.

Thanks for the guidance!

Hello @Yoad_Snapir,

Thank you for your message.

I think you should be able to safely remove this code. I will notify our team about the issue and we will fix it as soon as possible. Thank you for the investigation