Closed hborrel closed 1 year ago
This is also reported by Snyk and blocking our CI. Please update the dependencies asap. Many thanks
Thanks for submitting this issue with outdated deps. Internal ref: OKTA-528393
Yeah this is quite a problem as I expect Okta to take security as their top priority / concern.
Unfortunately the community has to report this simple to fix security issue. I don't understand why Okta doesn't include this in their CI / release process. What's even worse, it's not fixed instantly.
Hi @denysoblohin-okta, do you have a ETA on the fix?
I'm seeing the exact same vulnerability message when installing @okta/oidc-middleware. I'm also using the same release of the middleware.
Fix merged in https://github.com/okta/okta-oidc-middleware/pull/54, will be released soon
We are considering this to be a major version release, because this update requires the minimum node version to be bumped to 12.19
5.0.0
has been released
5.0.0
has been released That's great, thanks. And is there now a plan from Okta to keep updating dependencies to avoid security issues for their customers?
Shouldn't this be closed?
@rcollette yes
Describe the bug?
Npm audit returns 4 vulnerabilities
npm audit report
got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via
npm audit fix
node_modules/got openid-client <=3.15.10 Depends on vulnerable versions of got node_modules/@okta/oidc-middleware/node_modules/openid-clientpassport <0.6.0 Severity: moderate Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69 No fix available node_modules/@okta/oidc-middleware/node_modules/passport @okta/oidc-middleware * Depends on vulnerable versions of openid-client Depends on vulnerable versions of passport node_modules/@okta/oidc-middleware
4 moderate severity vulnerabilities
What is expected to happen?
Npm audit returns 0 vulnerabilities
What is the actual behavior?
n/a
Reproduction Steps?
npm i --save @okta/oidc-middleware
SDK Versions
"name": "@okta/oidc-middleware", "version": "4.5.1",
Execution Environment
[sandbox current]$ npm -v 8.15.0 [sandbox current]$ node -v v16.17.0 [sandbox current]$ cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)
Additional Information?
No response