rickhernandezio
commented
3 years ago +1 for a fix
Closed MarkSchlesinger closed 3 years ago
rickhernandezio
commented
3 years ago +1 for a fix
LJNGDAHL
commented
3 years ago I've made a pull request with a fix for this issue. Is it possible to get it reviewed (and merged if everything looks okay)?
rognstad
commented
3 years ago It's not encouraging that the advisory has been out since May, and no fix has been released for an issue bad enough for NPM to say "don't use this package."
Thanks for putting together that PR, @LJNGDAHL! I'm using your fork for the moment.
RLIndia
commented
1 year ago NPM Audit failure is still showing up with the latest 0.2.2 version. Does that mean this issue is not fixed by the code merged above?
NPM Audit failure
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.