search

jaredhanson / passport-openid

OpenID authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-openid/?utm_source=github&utm_medium=referral&utm_campaign=passport-openid&utm_content=about
MIT License
98 stars 85 forks source link

Vulnerability in dependencies (openid -> request) #47

Open ZissisT opened 4 years ago

ZissisT commented 4 years ago

Hello,

right now passport-openid depends on openid module -> depends on request@^2.61.0 which has a memory leak vulnerability (https://github.com/request/request/issues/2938) .

I opened a ticket there but this module seems abandoned, https://github.com/havard/node-openid/issues/175 so I don't think that this will be fixed there, soon. Unfortunately there is no openid version (not even v2) that has this fixed, so I don't know how this could be fixed with passport-openid (maybe depend on a different module, other than openid ? )

Thank you

YasharF commented 4 years ago

It might be worth for passport-openid to migrate from the openid package to the better-maintained node-openid-client.