node-auth0 icon indicating copy to clipboard operation
node-auth0 copied to clipboard

Published 20 hours ago verified publisher icon auth0

Security Updates for v3

Open tstackhouse opened this issue 1 year ago • 2 comments

Checklist

  • [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

vm2, which is a transitive dependency of this library is deprecated due to security issues, and I am unable to upgrade to 4.x of this library in the short term due to other libraries blocking my upgrade path. Are there any forthcoming updates to the 3.x line of this library that will address security issues?

Reproduction

n/a

Additional context

No response

node-auth0 version

3.7.2

Node.js version

16.20.1

tstackhouse avatar Feb 23 '24 15:02 tstackhouse

Similarly, we're using auth0-deploy-cli which depends on v3 of this library, and just started getting an error due to this library's dependency on rest-facade. It looks like superagent has a PR to update its dependency on formidable, though it's unclear when that might flow through the whole dependency chain.

# npm audit report

formidable  <3.2.4
Severity: critical
Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c
No fix available
node_modules/formidable
  superagent  >=0.4.0
  Depends on vulnerable versions of formidable
  node_modules/superagent
    rest-facade  *
    Depends on vulnerable versions of superagent
    node_modules/rest-facade
      auth0  2.0.0-alpha.3 - 3.7.2
      Depends on vulnerable versions of rest-facade
      node_modules/auth0
        auth0-deploy-cli  *
        Depends on vulnerable versions of auth0
        node_modules/auth0-deploy-cli

5 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

bdukes avatar Apr 23 '24 15:04 bdukes

@bdukes this specific security vulnerability has been withdrawn: https://github.com/advisories/GHSA-8cp3-66vr-3r4c

Narretz avatar Apr 26 '24 10:04 Narretz

Hi @tstackhouse

Thank you for raising the issue!!

The specific vulnerability (GHSA-8cp3-66vr-3r4c) in formidable was recently withdrawn, indicating that it is no longer considered a security risk as per the advisory maintainers.

Please feel free to reach out in case of any issues, we will re-open this issue.

tanya732 avatar Sep 18 '25 07:09 tanya732

Hi @tanya732!

The advisory being cited was not the root issue of the issue I submitted, v3 of this library is still affected by the following vulnerabilities in vm2, which has no patched version and is discontinued:

  • https://github.com/advisories/GHSA-cchq-frgv-rjh5
  • https://github.com/advisories/GHSA-g644-9gfx-q4q4

tstackhouse avatar Sep 26 '25 14:09 tstackhouse