bdukes
commented
5 months ago Similarly, we're using auth0-deploy-cli which depends on v3 of this library, and just started getting an error due to this library's dependency on rest-facade. It looks like superagent has a PR to update its dependency on formidable, though it's unclear when that might flow through the whole dependency chain.
# npm audit report formidable <3.2.4 Severity: critical Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c No fix available node_modules/formidable superagent >=0.4.0 Depends on vulnerable versions of formidable node_modules/superagent rest-facade * Depends on vulnerable versions of superagent node_modules/rest-facade auth0 2.0.0-alpha.3 - 3.7.2 Depends on vulnerable versions of rest-facade node_modules/auth0 auth0-deploy-cli * Depends on vulnerable versions of auth0 node_modules/auth0-deploy-cli 5 critical severity vulnerabilities Some issues need review, and may require choosing a different dependency.
Narretz
Checklist
Description
vm2, which is a transitive dependency of this library is deprecated due to security issues, and I am unable to upgrade to 4.x of this library in the short term due to other libraries blocking my upgrade path. Are there any forthcoming updates to the 3.x line of this library that will address security issues?
Reproduction
n/a
Additional context
No response
node-auth0 version
3.7.2
Node.js version
16.20.1