VULNERABILITY! openid npm package 1.0.4 does not check return_to

jaredhanson / passport-openid

OpenID authentication strategy for Passport and Node.js.

https://www.passportjs.org/packages/passport-openid/?utm_source=github&utm_medium=referral&utm_campaign=passport-openid&utm_content=about

MIT License

98 stars 85 forks source link

VULNERABILITY! openid npm package 1.0.4 does not check return_to #41

Open dilame opened 6 years ago

dilame commented 6 years ago

It is necessary to update dependency from

"openid": "1.x.x"

"openid": "2.x.x"

pronebird commented 6 years ago

There is already a PR for that: https://github.com/jaredhanson/passport-openid/issues/35

Poikilos commented 6 years ago

There was a fix but no PR, so I made it: https://github.com/jaredhanson/passport-openid/pull/43

rwky commented 6 years ago

Forked and fixed in https://github.com/passport-next/passport-openid

Install with npm install @passport-next/passport-openid

YasharF commented 4 years ago

The openid npm module hasn't been touched in years and also has an issue with the use of now deprecated requestjs. It might be worth migrating off of openid to openid-client npm module which is more actively maintained.