socket-security[bot]
commented
2 weeks ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/@azure/identity@4.3.0 | None | 0 |
0 B | |
| npm/@azure/msal-browser@3.17.0 | network | +1 |
7.73 MB | azuread |
| npm/@azure/msal-node@2.9.2 | environment, filesystem, network | +9 |
3.38 MB | azuread |
This PR contains the following updates:
^1.1.0->^4.0.0Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
GHSA-m5vv-6r4h-3vj9
More information
#### Details Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. #### Severity - CVSS Score: 5.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255) - [https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340](https://togithub.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340) - [https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499](https://togithub.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499) - [https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d](https://togithub.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d) - [https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492](https://togithub.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492) - [https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53](https://togithub.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53) - [https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178](https://togithub.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178) - [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m5vv-6r4h-3vj9) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
Azure/azure-sdk-for-js (@azure/identity)
### [`v4.0.0`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/cosmos_4.0.0) ##### 4.0.0 (2023-09-12) ##### Features Added - Added Changefeed support for partition keys, feed ranges, and entire container. [#18062](https://togithub.com/Azure/azure-sdk-for-js/issues/18062) - Added Diagnostics to all response objects, i.e. ResourceResponse (parent class for ItemRespone, ContainerResponse etc.), FeedResponse, ChangeFeedIteratorResponse, ErrorResponse, BulkOperationResponse. [#21177](https://togithub.com/Azure/azure-sdk-for-js/issues/21177) - Added support for hierarchical partitions. [#23416](https://togithub.com/Azure/azure-sdk-for-js/issues/23416) - Added support of index metrics. [#20194](https://togithub.com/Azure/azure-sdk-for-js/issues/20194) - Improved the retry utility to align with other language SDKs. Now, it automatically retries requests on the next available region when encountering HTTP 503 errors (Service Unavailable) and handles HTTP timeouts more effectively, enhancing the SDK's reliability. [#23475](https://togithub.com/Azure/azure-sdk-for-js/issues/23475) - Added priority based throttling. [docs](https://devblogs.microsoft.com/cosmosdb/introducing-priority-based-execution-in-azure-cosmos-db-preview/) [#26393](https://togithub.com/Azure/azure-sdk-for-js/pull/26393/files) ##### Bugs Fixed - Updated response codes for the getDatabase() method. [#25932](https://togithub.com/Azure/azure-sdk-for-js/issues/25932) - Fix Upsert operation failing when partition key of container is `/id` and `/id` is missing in the document. [#21383](https://togithub.com/Azure/azure-sdk-for-js/issues/21383) ##### Breaking Changes - The definition of PartitionKey is changed, PartitionKeyDefinition is now a independent type. [#23416](https://togithub.com/Azure/azure-sdk-for-js/issues/23416) ### [`v3.1.0`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/arm-keyvault_3.1.0) #### 3.1.0 (2023-10-18) **Features** - Added Interface ManagedServiceIdentity - Added Interface UserAssignedIdentity - Added Type Alias ManagedServiceIdentityType - Interface ManagedHsmResource has a new optional parameter identity - Added Enum KnownManagedServiceIdentityType ### [`v3.0.0`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/core-amqp_3.0.0) #### 3.0.0 (2021-06-09) ##### Breaking changes - Updates the `rhea-promise` and `rhea` dependencies to version 2.x. `rhea` contains a breaking change that changes deserialization of timestamps from numbers to Date objects. - Removes the `AsyncLock` and `defaultLock` exports. `defaultCancellableLock` should be used instead. ### [`v2.1.0`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/core-amqp_2.1.0) #### 2.1.0 (2021-02-08) - Fixes the bug reported in issue [13048](https://togithub.com/Azure/azure-sdk-for-js/issues/13048). Now an informative error is thrown describing the circumstance that led to the error. - Adds the ability to configure the `amqpHostname` and `port` that a `ConnectionContextBase` will use when connecting to a service. The `host` field refers to the DNS host or IP address of the service, whereas the `amqpHostname` is the fully qualified host name of the service. Normally `host` and `amqpHostname` will be the same. However if your network does not allow connecting to the service via the public host, you can specify a custom host (e.g. an application gateway) via the `host` field and continue using the public host as the `amqpHostname`. ### [`v2.0.5`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.5) #### 2.0.5 (2022-06-22) ##### Bugs Fixed - Fixed a bug in `InteractiveBrowserCredential` for Mac OS where the [app was not getting closed](https://togithub.com/Azure/azure-sdk-for-js/issues/21726) after the authorization succeeded. ### [`v2.0.4`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.4) #### 2.0.4 (2022-02-18) ##### Bugs Fixed - Fixed a regression in version 2.0.3 in which providing an options bag, but *not* a client ID, to the `ManagedIdentityCredential` constructor would discard the `options` parameter. ### [`v2.0.3`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.3) #### 2.0.3 (2022-02-16) ##### Features Added - Added log warning for non-support of user assigned identity in Managed Identity credentials in Cloud Shell environments. ##### Bugs Fixed - Fixed bug that duplicated the tenant Id on the URI of outgoing requests when passing an `authorityHost` ending with a tenant Id. - `ManagedIdentityCredential` now won't retry when it tries to ping the IMDS endpoint. - Now we are specifying the maximum number of retries to 3 to ensure that maximum retries won't change without notice. ### [`v2.0.2`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.2) #### 2.0.2 (2022-02-03) ##### Features Added - Improved the error message when `InteractiveBrowserCredential` is used with an unavailable port (such as when no `redirectUri` is provided, and the port `80` is busy) and when no browser is available. ##### Bugs Fixed - Challenge claims now are properly being passed through to the outgoing token requests. - The `ManagedIdentityCredential` now properly parses expiration dates from token exchange requests. ##### Other Changes - Moved the `@types/stoppable` dependency to the `devDependencies`. ### [`v2.0.1`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.1) #### 2.0.1 (2021-10-28) ##### Features Added - The `ManagedIdentityCredential` now supports the Service Fabric environment. ##### Bugs Fixed - Fixed a bug that caused the `AzureCliCredential` to fail on Windows. Issue [18268](https://togithub.com/Azure/azure-sdk-for-js/issues/18268). ### [`v2.0.0`](https://togithub.com/Azure/azure-sdk-for-js/releases/tag/%40azure/identity_2.0.0) #### 2.0.0 (2021-10-15) After multiple beta releases over the past year, we're proud to announce the general availability of version 2 of the `@azure/identity` package. This version includes the best parts of v1, plus several improvements. This changelog entry showcases the changes that have been made from version 1 of this package. See the [v1-to-v2 migration guide](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md) for details on how to upgrade your application to use the version 2 of `@azure/identity`. For information on troubleshooting the Identity package, see the [troubleshooting guide](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/Troubleshooting.md). ##### Features Added ##### Plugin API Identity v2 provides a top-level `useIdentityPlugin` function, which allows using two new plugin packages: - [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode), which provides the dependencies of `VisualStudioCodeCredential` and enables it. - If the `@azure/identity-vscode` plugin isn't used through the `useIdentityPlugin` function, the `VisualStudioCodeCredential` exposed by Identity v2 will throw a `CredentialUnavailableError`. - [@azure/identity-cache-persistence](https://www.npmjs.com/package/@azure/identity-cache-persistence), which provides persistent token caching. Most credentials on Identity v2 now support the persistent token caching feature. Such credentials include the property [tokenCachePersistenceOptions](https://docs.microsoft.com/javascript/api/@azure/identity/tokencachepersistenceoptions) in the constructor options which can be used to enable this feature. The following example showcases how to enable persistence caching by first enabling the `@azure/identity-cache-persistence` plugin with `useIdentityPlugin(cachePersistencePlugin)`, and then passing the `tokenCachePersistenceOptions` through the constructor of the `DeviceCodeCredential`: ```ts import { cachePersistencePlugin } from "@azure/identity-cache-persistence"; import { useIdentityPlugin, DeviceCodeCredential } from "@azure/identity"; useIdentityPlugin(cachePersistencePlugin); async function main() { const credential = new DeviceCodeCredential({ tokenCachePersistenceOptions: { enabled: true } }); } ``` ##### New credentials Identity v2 includes two new credential types: - `AzurePowerShellCredential`, which re-uses any account previously authenticated with the `Az.Account` PowerShell module. - `OnBehalfOfCredential`, which enables the [On-Behalf-Of authentication flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow). ##### New features in all credentials Identity v2 enables: - Support for claims challenges resulting from [Continuous Access Enforcement (CAE)](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) and [Conditional Access authentication context](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775). - By default, credentials of Identity v2 will produce tokens that can be used to trigger the challenge authentication flows. After these tokens expire, the next HTTP requests to Azure will fail, but the response will contain information to re-authenticate. - To disable this behavior, set the environment variable `AZURE_IDENTITY_DISABLE_CP1` to any value. For more about claims challenges, see [Claims challenges, claims requests, and client capabilities](https://docs.microsoft.com/azure/active-directory/develop/claims-challenge). - Support for multi-tenant authentication on all credentials except `ManagedIdentityCredential`. - At the moment, applications needing multi-tenancy support will need to call to the credentials' `getToken` directly, sending the new `tenantId` property. - A sample with more context will be provided in a future date. - To disable it, set the environment variable `AZURE_IDENTITY_DISABLE_MULTITENANTAUTH`. For more about multitenancy, see [Identity management in multitenant apps](https://docs.microsoft.com/azure/architecture/multitenant-identity/). ##### New features in InteractiveBrowserCredential and DeviceCodeCredential You can now control when the credential requests user input with the new `disableAutomaticAuthentication` option added to the options you pass to the credential constructors. - When enabled, this option stops the `getToken()` method from requesting user input in case the credential is unable to authenticate silently. - If `getToken()` fails to authenticate without user interaction, and `disableAutomaticAuthentication` has been set to true, a new error will be thrown: `AuthenticationRequired`. You may use this error to identify scenarios when manual authentication needs to be triggered (with `authenticate()`, as described in the next point). A new method `authenticate()` is added to these credentials which is similar to `getToken()`, but it does not read the `disableAutomaticAuthentication` option described above. - Use this to get an `AuthenticationRecord` which you can then use to create new credentials that will re-use the token information. - The `AuthenticationRecord` object has a `serialize()` method that allows an authenticated account to be stored as a string and re-used in another credential at any time. Use the new helper function `deserializeAuthenticationRecord` to de-serialize this string. - `authenticate()` might succeed and still return `undefined` if we're unable to pick just one account record from the cache. This might happen if the cache is being used by more than one credential, or if multiple users have authenticated using the same Client ID and Tenant ID. To ensure consistency on a program with many users, please keep track of the `AuthenticationRecord` and provide them in the constructors of the credentials on initialization. Learn more via the below samples - [Samples around controlling user interaction](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#control-user-interaction). - [Samples around persisting user authentication data](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#persist-user-authentication-data). ##### New features in ManagedIdentityCredential In Identity v2, the `ManagedIdentityCredential` retries with exponential back-off when a request for a token fails with a 404 status code. This change only applies to environments with available IMDS endpoints. Azure Service Fabric support hasn't been added on the initial version 2 of Identity. Subscribe to [issue #12420](https://togithub.com/Azure/azure-sdk-for-js/issues/12420) for updates on this feature. ##### Other features - `ClientCertificateCredential` now optionally accepts a configuration object as its third constructor parameter, instead of the PEM certificate path. This new object, called `ClientCertificateCredentialPEMConfiguration`, can contain either the PEM certificate path with the `certificatePath` property, or the contents of the PEM certificate with the `certificate` property.. - The Node.js version of `InteractiveBrowserCredential` has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. - `InteractiveBrowserCredential` has a new `loginHint` constructor option, which allows a username to be pre-selected for interactive logins. - In `AzureCliCredential`, we allow specifying a `tenantId` in the parameters through the `AzureCliCredentialOptions`. - A new error, named `AuthenticationRequiredError`, has been added. This error shows up when a credential fails to authenticate silently. - Errors and logged exceptions may point to the new [troubleshooting guidelines](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/Troubleshooting.md). - On all of the credentials we're providing, the initial authentication attempt in the lifetime of your app will include an additional request to first discover relevant endpoint metadata information from Azure. ##### Breaking changes ##### Breaking changes from v1 - For `ClientCertificateCredential` specifically, the validity of the PEM certificate is evaluated on `getToken` and not on the constructor. - We have also renamed the error `CredentialUnavailable` to `CredentialUnavailableError`, to align with the naming convention used for error classes in the Azure SDKs in JavaScript. - In v1 of Identity some `getToken` calls could resolve with `null` in the case the authentication request succeeded with a malformed output. In v2, issues with the `getToken` method will always throw errors. - Breaking changes to InteractiveBrowserCredential - The `InteractiveBrowserCredential` will use the [Auth Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) with [PKCE](https://tools.ietf.org/html/rfc7636) rather than [Implicit Grant Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to better support browsers with enhanced security restrictions. Learn how to migrate in the [migration guide](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/migration-v1-v2.md). Read more about the latest `InteractiveBrowserCredential` [here](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/interactive-browser-credential.md). - The default client ID used for `InteractiveBrowserCredential` was viable only in Node.js and not for the browser. Therefore, on v2 client ID is a required parameter when using this credential in browser apps. - Identity v2 also removes the `postLogoutRedirectUri` from the options to the constructor for `InteractiveBrowserCredential`. This option wasn't being used. Instead of using this option, use MSAL directly. For more information, see [Authenticating with the @azure/msal-browser Public Client](https://togithub.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-the-azuremsal-browser-public-client). - In Identity v2, `VisualStudioCodeCredential` throws a `CredentialUnavailableError` unless the new [@azure/identity-vscode](https://www.npmjs.com/package/@azure/identity-vscode) plugin is used. - Standardizing the tracing span names to be `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.