stefandesu
commented
1 year ago I thought that it should be easy enough to reimplement the Stack Exchange strategy using the generic OAuth2 strategy, and it indeed was fairly easy. I think we should just keep it and maybe even simplify other strategies to use the passport-oauth2 as well.
passport-stack-exchange is very old and uses a vulnerable version of request and there's no direct fix for it. It shouldn't be an issue as long as the URLs are configured correctly, but it would probably be best to either remove it entirely or create a new fork for it. If they are using standard OAuth, it shouldn't be a big deal, I think.
https://github.com/gbv/login-server/security/dependabot/15