the email they found was from a different repo and not monitored. this is ultimately our fault for not having a proper SECURITY.md on our main repository
the issue that was reported was fixed as soon as we heard about it - going through the process of learning about the CVE process, etc now and setting everything up correctly. we get 100s of issues reported to us daily across various mediums and we're figuring out how to manage this
i can't really say much beyond this is my own inexperience showing
even if the models do not get better there is so much demand even just b2b
we have all these problems we can fix but we are totally limited by availability
cloud providers are overwhelmed by the demand - you can see this in how stingy they are with rate limits and how they don't even talk to you unless you've already spent a lot with them
thanks for writing this up! i have been looking at switching to PASETO instead of jwt
one thing though - the reason we use asymmetric encryption is to allow other clients to validate tokens without calling a central server
eg if you use AWS API Gateway they specifically have jwt authorization support where you can point them to a jwks url and it will validate requests
i need to look into the algorithm again - another constraint was trying to work across everywhere JS runs and i need to check if a better algorithm can be used that still works everywhere