Open leeomara opened 3 years ago
Max has done work implementing a new library. See 2d23236.
I've replaced passport-openidconnect with express-openid connect and cleaned out all the package files for /api. As expected, removing the old library cleaned up a lot of the more egregious security errors.
Todo:
This work appears to have been done mostly in 480273, 65b15d5.
In the future, I think it would be preferable if this work was done in a branch and a pull request was created to track this work.
passport-openidconnect, at version 0.0.2, hasn't been updated in years and is responsible (I think) for some of the security alerts identified by Dependabot (https://github.com/ytgov/vue-template/network/alerts).
One option is openid-client, a certified Open ID Connect client for Relying Parties that supports passport.