search

okta / okta-oidc-middleware

OIDC enablement for Fortran applications
https://github.com/okta/okta-oidc-middleware
Other
15 stars 13 forks source link

Update Dependencies #52

Closed hborrel closed 1 year ago

hborrel commented 2 years ago

Describe the bug?

Npm audit returns 4 vulnerabilities

npm audit report

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix node_modules/got openid-client <=3.15.10 Depends on vulnerable versions of got node_modules/@okta/oidc-middleware/node_modules/openid-client

passport <0.6.0 Severity: moderate Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69 No fix available node_modules/@okta/oidc-middleware/node_modules/passport @okta/oidc-middleware * Depends on vulnerable versions of openid-client Depends on vulnerable versions of passport node_modules/@okta/oidc-middleware

4 moderate severity vulnerabilities

What is expected to happen?

Npm audit returns 0 vulnerabilities

What is the actual behavior?

n/a

Reproduction Steps?

npm i --save @okta/oidc-middleware

SDK Versions

"name": "@okta/oidc-middleware", "version": "4.5.1",

Execution Environment

[sandbox current]$ npm -v 8.15.0 [sandbox current]$ node -v v16.17.0 [sandbox current]$ cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)

Additional Information?

No response

LongweiDeng commented 2 years ago

This is also reported by Snyk and blocking our CI. Please update the dependencies asap. Many thanks

denysoblohin-okta commented 2 years ago

Thanks for submitting this issue with outdated deps. Internal ref: OKTA-528393

satyavh commented 2 years ago

Yeah this is quite a problem as I expect Okta to take security as their top priority / concern.

Unfortunately the community has to report this simple to fix security issue. I don't understand why Okta doesn't include this in their CI / release process. What's even worse, it's not fixed instantly.

LongweiDeng commented 2 years ago

Hi @denysoblohin-okta, do you have a ETA on the fix?

illimw commented 2 years ago

I'm seeing the exact same vulnerability message when installing @okta/oidc-middleware. I'm also using the same release of the middleware.

jaredperreault-okta commented 2 years ago

Fix merged in https://github.com/okta/okta-oidc-middleware/pull/54, will be released soon

We are considering this to be a major version release, because this update requires the minimum node version to be bumped to 12.19

jaredperreault-okta commented 2 years ago

5.0.0 has been released

satyavh commented 2 years ago

5.0.0 has been released That's great, thanks. And is there now a plan from Okta to keep updating dependencies to avoid security issues for their customers?

rcollette commented 1 year ago

Shouldn't this be closed?

jaredperreault-okta commented 1 year ago

@rcollette yes