Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Updates for v3 #992

Open
5 tasks done
tstackhouse opened this issue Feb 23, 2024 · 2 comments
Open
5 tasks done

Security Updates for v3 #992

tstackhouse opened this issue Feb 23, 2024 · 2 comments
Labels
bug This points to a verified bug in the code

Comments

@tstackhouse
Copy link

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

vm2, which is a transitive dependency of this library is deprecated due to security issues, and I am unable to upgrade to 4.x of this library in the short term due to other libraries blocking my upgrade path. Are there any forthcoming updates to the 3.x line of this library that will address security issues?

Reproduction

n/a

Additional context

No response

node-auth0 version

3.7.2

Node.js version

16.20.1
@tstackhouse tstackhouse added the bug This points to a verified bug in the code label Feb 23, 2024
@bdukes
Copy link

bdukes commented Apr 23, 2024

Similarly, we're using auth0-deploy-cli which depends on v3 of this library, and just started getting an error due to this library's dependency on rest-facade. It looks like superagent has a PR to update its dependency on formidable, though it's unclear when that might flow through the whole dependency chain.

# npm audit report

formidable  <3.2.4
Severity: critical
Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c
No fix available
node_modules/formidable
  superagent  >=0.4.0
  Depends on vulnerable versions of formidable
  node_modules/superagent
    rest-facade  *
    Depends on vulnerable versions of superagent
    node_modules/rest-facade
      auth0  2.0.0-alpha.3 - 3.7.2
      Depends on vulnerable versions of rest-facade
      node_modules/auth0
        auth0-deploy-cli  *
        Depends on vulnerable versions of auth0
        node_modules/auth0-deploy-cli

5 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

@Narretz
Copy link

Narretz commented Apr 26, 2024

@bdukes this specific security vulnerability has been withdrawn: GHSA-8cp3-66vr-3r4c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This points to a verified bug in the code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bdukes @tstackhouse @Narretz