bump crypto-js from 4.1.1 to 4.2.0

laurentbel commented 1 year ago

Changes

Bump crypto-js from 4.1.1 to 4.2.0

References

https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119

Testing

Not tested.

Checklist

[x] I have read the Auth0 general contribution guidelines
[x] I have read the Auth0 Code of Conduct
[ ] All existing and new tests complete without errors

pnappa commented 1 year ago

This is a good first step, I think with current day javascript it's possible to remove the dependency on crypto-js entirely. I understand this library is not vulnerable to the CVE on crypto-js (the only uses in this library for it are for SHA256, and base64/hex encoding) as PBKDF2 is not used here. However, as the crypto-js library is no longer supported, I think it might be prudent to eventually remove it as a dependency. This PR should be merged to fix the noise from the audit.

Searching: https://github.com/search?q=repo%3Aauth0%2Fidtoken-verifier%20crypto-js&type=code

These are the only imports from the library.

import sha256 from 'crypto-js/sha256';
import cryptoBase64 from 'crypto-js/enc-base64';
import cryptoHex from 'crypto-js/enc-hex';

I believe all three are now natively available in browsers & nodejs contexts. See https://nodejs.org/api/crypto.html and https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest for SHA256.

ewanharris commented 1 year ago

Thanks for this PR @laurentbel, it looks like the dependabot PR (#176) got in first but I've repurposed this one to use to cut the release with

auth0 / idtoken-verifier