moderate vulnerability from archived repo

[michielbdejong]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ base64url                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rdflib                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rdflib > solid-auth-cli > @solid/cli > @trust/oidc-rp >      │
│               │ base64url                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/658                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

The issue could be fixed in https://github.com/anvilresearch/oidc-rp/blob/master/package.json#L44 but that repo is archived.

@dmitrizagidulin any idea on how we can update this? I guess the better solution is rdflib.js should not rely on an archived repo?

[michielbdejong]

cc @jeff-zucker

[jeff-zucker]

@RubenVerborgh's @solid/oidc-rp can, on first testing, be substituted for Anvil's @trust/oidc-rp in solid/solid-cli which would remove the archived library from the build chain and allow solid-auth-cli to keep working. By no means a long-term solution to OAuth, but would allow rdflib to still be used outside the browser for the time being. Is this the way to go, and shall I submit a PR to solid-cli?