Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dependencies #52

Closed
hborrel opened this issue Aug 26, 2022 · 10 comments
Closed

Update Dependencies #52

hborrel opened this issue Aug 26, 2022 · 10 comments
Labels
bug Something isn't working

Comments

@hborrel
Copy link

hborrel commented Aug 26, 2022
edited

Describe the bug?

Npm audit returns 4 vulnerabilities

npm audit report

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix
node_modules/got
openid-client <=3.15.10
Depends on vulnerable versions of got
node_modules/@okta/oidc-middleware/node_modules/openid-client

passport <0.6.0
Severity: moderate
Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - GHSA-v923-w3x8-wh69
No fix available
node_modules/@okta/oidc-middleware/node_modules/passport
@okta/oidc-middleware *
Depends on vulnerable versions of openid-client
Depends on vulnerable versions of passport
node_modules/@okta/oidc-middleware

4 moderate severity vulnerabilities

What is expected to happen?

Npm audit returns 0 vulnerabilities

What is the actual behavior?

n/a

Reproduction Steps?

npm i --save @okta/oidc-middleware

SDK Versions

"name": "@okta/oidc-middleware",
"version": "4.5.1",

Execution Environment

[sandbox current]$ npm -v
8.15.0
[sandbox current]$ node -v
v16.17.0
[sandbox current]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

Additional Information?

No response
@hborrel hborrel added the bug Something isn't working label Aug 26, 2022
@LongweiDeng
Copy link

This is also reported by Snyk and blocking our CI. Please update the dependencies asap.
Many thanks

@denysoblohin-okta
Copy link
Contributor

Thanks for submitting this issue with outdated deps.
Internal ref: OKTA-528393

@satyavh
Copy link

satyavh commented Aug 31, 2022

Yeah this is quite a problem as I expect Okta to take security as their top priority / concern.

Unfortunately the community has to report this simple to fix security issue. I don't understand why Okta doesn't include this in their CI / release process. What's even worse, it's not fixed instantly.

@LongweiDeng
Copy link

Hi @denysoblohin-okta, do you have a ETA on the fix?

@illimw
Copy link

illimw commented Sep 7, 2022

I'm seeing the exact same vulnerability message when installing @okta/oidc-middleware. I'm also using the same release of the middleware.

@jaredperreault-okta
Copy link
Contributor

Fix merged in #54, will be released soon

We are considering this to be a major version release, because this update requires the minimum node version to be bumped to 12.19

@jaredperreault-okta
Copy link
Contributor

5.0.0 has been released

@satyavh
Copy link

satyavh commented Sep 8, 2022

5.0.0 has been released
That's great, thanks.
And is there now a plan from Okta to keep updating dependencies to avoid security issues for their customers?

@rcollette
Copy link

Shouldn't this be closed?

@jaredperreault-okta
Copy link
Contributor

@rcollette yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rcollette @satyavh @LongweiDeng @hborrel @denysoblohin-okta @jaredperreault-okta @illimw