Need to migrate off request as it creates two security exposures

jaredhanson / passport-openidconnect

OpenID Connect authentication strategy for Passport and Node.js.

https://www.passportjs.org/packages/passport-openidconnect/?utm_source=github&utm_medium=referral&utm_campaign=passport-openidconnect&utm_content=about

MIT License

188 stars 173 forks source link

Need to migrate off request as it creates two security exposures #78

Closed scottdickerson closed 2 years ago

scottdickerson commented 4 years ago

The request package has a dependency on http-signature which has two security exposures:

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-20149 https://github.com/jonschlinkert/kind-of/commit/975c13a7cfaf25d811475823824af3a9c04b0ba8

Since request is now deprecated can you move the library to use axios or fetch.

scottdickerson commented 4 years ago

put in this PR to address:

https://github.com/jaredhanson/passport-openidconnect/pull/79

jaredhanson commented 2 years ago

I've decided to remove the discovery and dynamic client registration capabilities from this strategy. These features were never fully baked, and the functionality is best implemented outside of an authentication strategy. As such, this package no longer depends on request.

Closing.