Critical vulnerability in superagent dependency.

[Twipped]

Checklist

• [X] The issue can be reproduced in the auth0-js sample app (or N/A).
• [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

A new critical vulnerability was announced today in formidable 2.x, which is a dependency of superagent 7 and 8. Superagent needs to be updated to version 9 to get the new version of formidable which does not have this vulnerability.

See:

• https://github.com/advisories/GHSA-8cp3-66vr-3r4c
• https://github.com/ladjs/superagent/pull/1800
• https://github.com/ladjs/superagent/issues/1799
• v9.0.0 (release)

Reproduction

Run npm audit with auth0-js installed.

Additional context

No response

auth0-js version

9.24.1

Which browsers have you tested in?

Other

[laurence-myers]

The CVE has been withdrawn, so npm audit is no longer failing.

https://github.com/advisories/GHSA-8cp3-66vr-3r4c

[stevehobbsdev]

Thanks @laurence-myers, was just about to comment the same thing. Thanks for raising @in15!

[Twipped]

@stevehobbsdev might I suggest the project should still update to the latest superagent, anyway? Two major versions is a notable lag.