[Snyk] Upgrade @badgateway/oauth2-client from 2.2.1 to 2.3.0 #315

jkopriva · 2024-03-23T18:56:13Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade @badgateway/oauth2-client from 2.2.1 to 2.3.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 4 versions ahead of your current version.
The recommended version was released 2 months ago, on 2024-02-03.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
Path Traversal SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: @badgateway/oauth2-client

2.3.0 - 2024-02-03
- Fix for #128: If there's no secret, we should never use Basic auth to encode the client_id.
- Support for the resource parameter from RFC 8707.
- Add support for scope parameter to refresh().
- Support for RFC 7009, Token Revocation. (@ adambom)
2.2.4 - 2023-09-05
- Added extraParams option to getAuthorizeUri, allowing users to add non-standard arguments to the authorization URI for servers that require this. (@ pks1989)
2.2.3 - 2023-08-03
- Moved the tokenResponseToOAuth2Token function inside the OAuth2Client class, allowing users to override the parsing logic more easily.
2.2.2 - 2023-07-28
- #111 Some documentation fixes.
- #110: Fix race condition with getStoredToken and calling fetch() immediately after constructing FetchWrapper.
2.2.1 - 2023-07-07
- #15: Fix for TypeError: Failed to execute 'fetch' on 'Window': Illegal invocation at t.OAuth2Client.request.

from @badgateway/oauth2-client GitHub release notes

Commit messages

Package name: @badgateway/oauth2-client

7ce4f29 Releasing 2.3.0
f53cfd0 Merge pull request upgrade dex names #126 from adambom/adambom-revoke
08643ef Update changelog, readme
929d115 Merge branch 'main' into adambom-revoke
a761025 Merge pull request Red Hat Trusted App Pipeline update dex-quality-dashboard #135 from badgateway/scope-on-refresh
aba40e3 Add support for "resource" and "scope" on refresh().
d37e518 Merge pull request Fix kube-linter issues #134 from badgateway/resource-indicators
fdb4dd3 Honesty is the best policy
a6a6cfd Support for Resource Indicators for OAuth 2.0.
c38475a Altering test to demonstrate issue with non returning JSON from revoke
9335fbb Moving revoke tests into their own file
e165f3b Merge pull request chore(deps): update rhtap references #132 from debater-coder/patch-2
f6afe50 Fix typo
1444916 Fixed docs for refresh. See Red Hat Trusted App Pipeline update frontend-quality-dashboard #127.
0562b08 Merge pull request Red Hat Trusted App Pipeline purge frontend-quality-dashboard #129 from badgateway/public-client-id-in-body
538efc6 Fix for Red Hat Trusted App Pipeline update frontend-quality-dashboard #128
4a10935 Fix linting errors
c94f27f Add tests for revocation
714eaea Fix typo in comments
4b22de6 Fix RFC url
84a4526 Add support for token revocation
dc07503 Merge pull request chore(deps): update rhtap references #121 from badgateway/release-2-2-4
af65d96 Releasing 2.2.4
220284a Preparing 2.2.4 release