-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Dependencies #52
Comments
This is also reported by Snyk and blocking our CI. Please update the dependencies asap. |
Thanks for submitting this issue with outdated deps. |
Yeah this is quite a problem as I expect Okta to take security as their top priority / concern. Unfortunately the community has to report this simple to fix security issue. I don't understand why Okta doesn't include this in their CI / release process. What's even worse, it's not fixed instantly. |
Hi @denysoblohin-okta, do you have a ETA on the fix? |
I'm seeing the exact same vulnerability message when installing @okta/oidc-middleware. I'm also using the same release of the middleware. |
Fix merged in #54, will be released soon We are considering this to be a major version release, because this update requires the minimum node version to be bumped to |
|
|
Shouldn't this be closed? |
@rcollette yes |
Describe the bug?
Npm audit returns 4 vulnerabilities
npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via
npm audit fix
node_modules/got
openid-client <=3.15.10
Depends on vulnerable versions of got
node_modules/@okta/oidc-middleware/node_modules/openid-client
passport <0.6.0
Severity: moderate
Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - GHSA-v923-w3x8-wh69
No fix available
node_modules/@okta/oidc-middleware/node_modules/passport
@okta/oidc-middleware *
Depends on vulnerable versions of openid-client
Depends on vulnerable versions of passport
node_modules/@okta/oidc-middleware
4 moderate severity vulnerabilities
What is expected to happen?
Npm audit returns 0 vulnerabilities
What is the actual behavior?
n/a
Reproduction Steps?
npm i --save @okta/oidc-middleware
SDK Versions
"name": "@okta/oidc-middleware",
"version": "4.5.1",
Execution Environment
[sandbox current]$ npm -v
8.15.0
[sandbox current]$ node -v
v16.17.0
[sandbox current]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
Additional Information?
No response
The text was updated successfully, but these errors were encountered: