`jose` Security Vulnerability

[praxder]

The Dart package jose has a big vulnerability:
GHSA-vm9r-h74p-hg97

The stream_chat package uses an affected version of jose:

A quick look through the Stream source shows that it's being used in the token.dart file.

The fix should be relatively easy: just bumping the jose package version up to 0.3.5+1 or higher, per the GitHub advisory listed above.

For what it's worth, every time you run flutter pub get, it now outputs this warning, because of this vulnerability:

[praxder]

Any updates on this?

[justinfriberg]

Also waiting on this fix

[neel-sharma]

also waiting for the fix

[neel-sharma]

Opened a PR to fix this: #2613

Bumps jose lower bound from ^0.3.4 to ^0.3.5 in melos.yaml and packages/stream_chat/pubspec.yaml. Minimal change — just excludes the vulnerable version from resolution.

If anyone needs this immediately, you can point your pubspec.yaml to the fork:

dependency_overrides:
  stream_chat:
    git:
      url: https://github.com/neel-sharma/stream-chat-flutter.git
      path: packages/stream_chat
      ref: master