fix(deps): update dependency @redwoodjs/api to v2 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@redwoodjs/api (source)	^1.5.1 -> ^2.0.0

GitHub Vulnerability Alerts

GHSA-3qmc-2r76-4rqp

Impact

What kind of vulnerability is it? Who is impacted?

This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:

• only projects with the dbAuth "forgot password" feature are affected
• this vulnerability was introduced in v0.38.0

User Accounts are Vulnerable to Takeover (Hijacking)

A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.

How to Determine if Projects have been Attacked

To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.

If you have question or concerns, reach out via the "For More Information" section below.

Patch Releases Available

The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:

Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()

Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning

handler: (user) => {
  // your code to notify/email user of the link to reset their password...

  const = { resetToken, resetTokenExpiresAt, ...rest }

  return rest
}

Use yarn patch to manually apply the fix

Users on v3 and v2 can use [yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.

Disable the forgot password flow entirely v3 only

Users on v3 can disable the forgot password flow entirely.

---

Release Notes

redwoodjs/redwood (@​redwoodjs/api)

### [`v2.2.5`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v225) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.2.4...v2.2.5) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.5 ### [`v2.2.4`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v224) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.2.3...v2.2.4) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.4 ### [`v2.2.3`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v223) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.2.2...v2.2.3) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.3 ### [`v2.2.2`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v222) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.2.1...v2.2.2) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.2 ### [`v2.2.1`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v221) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.2.0...v2.2.1) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.1 ### [`v2.2.0`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v220) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.1.1...v2.2.0) - See https://github.com/redwoodjs/redwood/releases/tag/v2.2.0 ### [`v2.1.1`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v211) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.1.0...v2.1.1) - See https://github.com/redwoodjs/redwood/releases/tag/v2.1.1 ### [`v2.1.0`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v210) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v2.0.0...v2.1.0) - See https://github.com/redwoodjs/redwood/releases/tag/v2.1.0 ### [`v2.0.0`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v200) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v1.5.2...v2.0.0) - See https://github.com/redwoodjs/redwood/releases/tag/v2.0.0 for the release notes and upgrade guide ### [`v1.5.2`](https://togithub.com/redwoodjs/redwood/blob/HEAD/CHANGELOG.md#v152) [Compare Source](https://togithub.com/redwoodjs/redwood/compare/v1.5.1...v1.5.2) - See https://github.com/redwoodjs/redwood/releases/tag/v1.5.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify[bot]]

✅ Deploy Preview for redwoodjs-com ready!

Name	Link
🔨 Latest commit	aa429fa1f6472a2b608489e4e5dff15cd8aad51e
🔍 Latest deploy log	https://app.netlify.com/sites/redwoodjs-com/deploys/66b1cf0b6686b300088a3e20
😎 Deploy Preview	https://deploy-preview-145--redwoodjs-com.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.