auth0-authorization-extension
auth0-authorization-extension copied to clipboard
auth0
[Snyk] Fix for 55 vulnerabilities
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
-
Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
-
Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches. Find out more.
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
619/1000 Why? Has a fix available, CVSS 8.1 |
Prototype Pollution SNYK-JS-AJV-584908 |
Yes | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908 |
Yes | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Prototype Pollution SNYK-JS-ASYNC-2441827 |
No | Proof of Concept |
 |
509/1000 Why? Has a fix available, CVSS 5.9 |
Information Exposure SNYK-JS-AUTH0-596476 |
No | No Known Exploit |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-AWSSDK-1059424 |
No | Proof of Concept |
|
616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9 |
Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255 |
No | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269 |
No | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Denial of Service (DoS) SNYK-JS-AXIOS-174505 |
No | Proof of Concept |
|
526/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.1 |
Arbitrary Code Injection SNYK-JS-EJS-1049328 |
Yes | Proof of Concept |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Remote Code Execution (RCE) SNYK-JS-EJS-2803307 |
Yes | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181 |
No | Proof of Concept |
 |
344/1000 Why? Has a fix available, CVSS 2.6 |
Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346 |
No | No Known Exploit |
|
484/1000 Why? Has a fix available, CVSS 5.4 |
Open Redirect SNYK-JS-GOT-2932019 |
Yes | No Known Exploit |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852 |
Yes | No Known Exploit |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355 |
Yes | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905 |
Yes | Proof of Concept |
|
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2 |
Command Injection SNYK-JS-LODASH-1040724 |
Yes | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-450202 |
Yes | Proof of Concept |
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
Yes | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-608086 |
Yes | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-73638 |
Yes | Proof of Concept |
|
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639 |
Yes | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Directory Traversal SNYK-JS-MOMENT-2440688 |
No | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-NCONF-2395478 |
No | Proof of Concept |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Arbitrary File Overwrite SNYK-JS-NPM-537603 |
Yes | Proof of Concept |
|
451/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 2.6 |
Unauthorized File Access SNYK-JS-NPM-537604 |
Yes | Proof of Concept |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Arbitrary File Write SNYK-JS-NPM-537606 |
Yes | Proof of Concept |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Insertion of Sensitive Information into Log File SNYK-JS-NPM-575435 |
Yes | No Known Exploit |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-NPMUSERVALIDATE-1019352 |
Yes | No Known Exploit |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Remote Code Execution (RCE) SNYK-JS-PUGCODEGEN-1082232 |
No | Proof of Concept |
|
624/1000 Why? Has a fix available, CVSS 8.2 |
Arbitrary File Overwrite SNYK-JS-TAR-1536528 |
Yes | No Known Exploit |
|
624/1000 Why? Has a fix available, CVSS 8.2 |
Arbitrary File Overwrite SNYK-JS-TAR-1536531 |
Yes | No Known Exploit |
|
410/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758 |
Yes | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579147 |
Yes | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579152 |
Yes | No Known Exploit |
|
639/1000 Why? Has a fix available, CVSS 8.5 |
Arbitrary File Write SNYK-JS-TAR-1579155 |
Yes | No Known Exploit |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599 |
No | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600 |
No | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601 |
No | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602 |
No | Proof of Concept |
|
434/1000 Why? Has a fix available, CVSS 4.4 |
Time of Check Time of Use (TOCTOU) npm:chownr:20180731 |
Yes | No Known Exploit |
|
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306 |
No | Proof of Concept |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
Yes | Proof of Concept |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:lodash:20180130 |
Yes | Proof of Concept |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:ms:20170412 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Access Restriction Bypass npm:npm:20180222 |
Yes | No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Denial of Service (DoS) npm:superagent:20170807 |
Yes | No Known Exploit |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Information Exposure npm:superagent:20181108 |
Yes | No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: auth0-extension-tools
The new version differs by 20 commits.- 3ee9a4f Merge pull request #19 from auth0-extensions/version-bump
- 5ba28bc add defaults to circle-ci yaml config
- bb0e04e add deploy step and test_and_deploy workflow to circle config
- d705af6 change circle-ci config to use npm instead of yarn.
- 0ac6628 Merge pull request #18 from auth0-extensions/version-bump
- c5f23ad bump package.json version
- 0e81ea0 Merge pull request #17 from gkwang/update-dependencies
- f9e0206 Update dependencies
- 140cc2a 1.4.1
- 1eadbc8 Merge pull request #16 from chrisscott/update_node_auth0
- 2e47408 Update node-auth version to latest, 2.18.0
- 8a7c701 Merge pull request #15 from auth0-extensions/node-auth0-bump
- b2015ad yarn.lock update
- 8f966bf bump node-auth0 version to latest
- 90c347d [Automated Script] Add stale config.
- 16b5d45 [Automated Script] Added PR Template
- 591750e 1.3.3
- e0b6aa4 Merge pull request #14 from zxan1285/no-access-token
- fb91228 no access token option
- 5be377c optional response_type
Package name: aws-sdk
The new version differs by 250 commits.- 8875a35 Updates SDK to v2.814.0
- dd83d67 throw at invalid profile name in shared ini file (#3585)
- ee0c5a3 Updates SDK to v2.813.0
- 468d15b Updates SDK to v2.812.0
- c50132f Update README.md with references to JS SDK V3 (#3582)
- 3e19b08 Updates SDK to v2.811.0
- f26c00d Updates SDK to v2.810.0
- b393a6e Adds automatic PreSignedUrl generation to RDS.StartDBInstanceAutomatedBackupsReplication (#3566)
- fa57967 Updates SDK to v2.809.0
- 9a52018 Updates SDK to v2.808.0
- 1958076 Updates SDK to v2.807.0
- ffcad20 Updates SDK to v2.806.0
- 2f37893 chore: remove cognitoidentity customizations to disable auth (#3543)
- c6fe3c0 Updates SDK to v2.805.0
- 71d6fa9 Fix dual-callback case (#3537)
- b981971 Updates SDK to v2.804.0
- 332573f Updates SDK to v2.803.0
- deb7bc7 Updates SDK to v2.802.0
- b6401d0 Remove incorrectly named service named 'Profile' (#3562)
- 3364d4b Updates SDK to v2.801.0
- d400577 Updates SDK to v2.800.0
- 21c7dc0 Updates SDK to v2.799.0
- d2b8964 Updates SDK to v2.798.0
- 44ded82 fix: test IAM.getUser instead of listUsers (#3542)
Package name: axios
The new version differs by 250 commits.- e367be5 [Releasing] 0.21.3
- 83ae383 Correctly add response interceptors to interceptor chain (#4013)
- c0c8761 [Updating] changelog to include links to issues and contributors
- 619bb46 [Releasing] v0.21.2
- 82c9455 Create SECURITY.md (#3981)
- 5b45711 Security fix for ReDoS (#3980)
- 5bc9ea2 Update ECOSYSTEM.md (#3817)
- e72813a Fixing README.md (#3818)
- e10a027 Fix README typo under Request Config (#3825)
- e091491 Update README.md (#3936)
- b42fbad Removed un-needed bracket
- 520c8dc Updating CI status badge (#3953)
- 4fbeecb Adding CI on Github Actions. (#3938)
- e9965bf Fixing the sauce labs tests (#3813)
- dbc634c Remove charset in tests (#3807)
- 3958e9f Add explanation of cancel token (#3803)
- 69949a6 Adding custom return type support to interceptor (#3783)
- 49509f6 Create FUNDING.yml (#3796)
- 199c8aa Adding parseInt to config.timeout (#3781)
- 94fc4ea Adding isAxiosError typeguard documentation (#3767)
- 0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
- a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
- 59fa614 [Updated] follow-redirects to the latest version (#3771)
- 7821ed2 Feat/json improvements (#3763)
Package name: blipp
The new version differs by 15 commits.- 2327ecc 3.0.0
- da0f587 Merge pull request #29 from Y-LyN-10/master
- 0a37298 Update node.js versions for Travis CI
- 9a32e0d Merge branch 'master' of github.com:Y-LyN-10/blipp
- 8c4b863 Updated dev dependencies for Hapi v17
- 842ae6d Updated example for Hapi v17
- c67c665 Fixed lib and tests for default strategy
- eb77487 Linted tests
- 241dae5 Updated dependencies, tests are re-written with lab v15 and hapi v17
- 0143f72 Breaking changes: modified to work with Hapi v17
- 91db5cc updates travis and dependencies versions
- 014d160 Update dependencies version
- 53ec665 Merge pull request #21 from johnbrett/patch-1
- 502451d Fixing brackets in the readme
- 3cff28c style
Package name: good
The new version differs by 25 commits.- f0b562e version 7.1.0
- 45606c7 Restored wreck logging. Closes #469. (#514)
- 6584880 Upgrade async. Fixes #515. (#538)
- 265a5ca Update deps. Closes #515
- f957062 Don't create a reporter if no streams were provided. Addresses #534 (#535)
- 9d198f8 update stream example in docs and other minors (#536)
- dfe7912 non breaking change adds responseSentTime. Closes #530 (#533)
- 3bd61be current version shield links to good @ npmjs (#521)
- ae1778b Support functions as modules (#517)
- b8f923e Add request route tags to response event (#516)
- 7a78ec8 Fix previous hapi versions
- 77bae30 Fix hapi v15.0.2 timing errors in tests
- 4a22673 hapi 15. Closes #509
- 2d510b1 handle missing coverage on hapi < 15
- 3f9a36a hapi 15 tests
- 51e8ec5 hapi 15
- 502b961 hapi 15
- 673af3e Changed keys used to identify reporters in example (#508)
- cf9f3fb Update CONTRIBUTING.md
- 65730b1 correct and improve documentation (#505)
- a55e808 Not enough feedback when error. Closes #498 (#499)
- 8561ecc Added .npmignore file. Closes #485 (#496)
- 0c93720 Update LICENSE
- 0434d88 Closes #491. Update tests to code3.
Package name: hapi-swagger
The new version differs by 96 commits.- 34ed162 v7.9.0
- ccf47a7 Merge pull request #455 from rokoroku/patch-1
- ce1014f Merge pull request #456 from ramimoshe/master
- e4f569d Link issue in docs
- 5844e3e Merge pull request #468 from rapilabs/patch-3
- bfe9195 Merge pull request #459 from sovietspaceship/patch-1
- d710828 Linting issue
- a047c66 Fix for basic example
- cb0dbbe Corrected error in example for JWT and Joi.extend()
- d575939 Merge pull request #453 from pdanpdan/patch-1
- 04bf8cd Added new disableDropdown to usgae guide
- 4b1a7c9 Merge pull request #402 from robertpallas/master
- e9e889e Merge pull request #397 from richardlay/master
- 3822495 Corrected anchor for "Grouping endpoints by path or tags"
- 4dbe097 fix 'vaildation' typoes
- 690b10b remove undefined item from Joi.try() alternatives structures
- 22f646d Fix auth for swaggerUI files
- b634ede Set auth also for swaggerUI paths
- c379231 Dependencies update
- 5d8770e Merge pull request #451 from robmcguinness/master
- 11113ea Merge pull request #446 from tepez/master
- f06c5e1 Fixes #450: hasFileType fails with circular dependency error
- 47169bd Move "lab" from dependencies to devDependencies
- eb3f832 Coverage issue
Package name: jsonwebtoken
The new version differs by 10 commits.- f313850 8.0.0
- f38bd8e updated changelog
- 2ec3263 Merge pull request #393 from ziluvatar/migration-notes-to-readme
- 12cd8f7 docs: readme, migration notes
- cfc04a9 Merge pull request #349 from ziluvatar/fix-max-age-number-and-seconds
- 3305cf0 verify: remove process.nextTick (#302)
- 0be5409 Reduce size of NPM package (#347)
- 2e7e68d Remove joi to shrink module size (#348)
- 66a4f8b maxAge: Add validation to timespan result
- b61cc34 maxAge: Fix logic with number + use seconds instead of ms
Package name: lru-memoizer
The new version differs by 11 commits.- 188771d 1.11.2
- 54c5074 Merge pull request #4 from coreylight/master
- e559da5 use most recent non-breaking 4.X lodash
- b068d9a 1.11.1
- 93916f8 avoid deoptimization converting args to array
- 0e46f30 1.11.0
- cb77088 add an option for cloning the object
- f447a3c 1.10.1
- 369d4f8 Merge branch 'elbuo8-own-freeze'
- 7f4545c improve test
- 277694d Bring freeze to lib
Package name: ms
The new version differs by 19 commits.- 9b88d15 2.0.0
- 94b995c Invalidated cache for slack badge
- bcf5715 Bumped dependencies to the latest version
- b1eaab7 Ignored logs coming from npm
- caae298 Limit str to 100 to avoid ReDoS of 0.3s (#89)
- b83b36d chore(package): update eslint to version 3.19.0 (#88)
- 3f2a4d7 chore(package): update husky to version 0.13.3 (#86)
- 7daf984 1.0.0
- ee91f30 More suitable name for file containing tests
- e818c35 Removed browser testing
- c9b1fd3 Test on LTS version of Node
- 389840b Badge for XO removed
- 1fbbe97 Removed component specification
- 57b3ef8 Use `prettier` and `eslint`
- 94068ea Removed XO
- 4b7f48f chore(package): update serve to version 5.0.4 (#85)
- bd49cec chore(package): update xo to version 0.18.0 (#84)
- d4a94b1 chore(package): update serve to version 5.0.3 (#83)
- 923eee1 chore(package): update serve to version 5.0.2 (#82)
Package name: nconf
The new version differs by 37 commits.- f25feb2 0.11.4
- 2e9e453 chore: disable package-lock, since this is a lib
- 7aa9402 chore: update node version test matrix
- feaba56 fix(security): prevent prototype pollution in memory store (#397)
- 218059e 0.11.3
- dc8c3d6 Handle case where parsed config object hasn't prototype (#365)
- b1914ae 0.11.2
- 54bd403 chore: upgrade deps to fix security vulns
- e6dfa5d 0.11.1
- 709cc60 Bump node-notifier from 8.0.0 to 8.0.1 (#355)
- eca2bf3 Bump ini from 1.3.5 to 1.3.6 (#353)
- 85229df chore: enable circleci
- 91e9106 chore: update changelog
- 4122731 0.11.0
- 56794d1 chore: upgrade deps to fix security vulns
- 1392ac4 0.10.0
- 01f25fa Regex as env separator (#288)
- 16667be Argv store separator (#291)
- bac910a 0.9.1
- 2bdf7e1 Clean Argv Store options (#290)
- b9321b2 transformer can now return an undefined key (#289)
- 81ce0be Update changelog
- b1ee63c fix error in transform function when dealing with dropped entries (#287)
- 9f70ba1 [doc] Update changelog
Package name: npm
The new version differs by 250 commits.- 30a9844 7.21.0
- 0b2cd9d update AUTHORS
- 06461ec docs: changelog for v7.21.0
- 771a1cb chore(tests): fix snapshots
- 71cdfd8 [email protected]
- 94f92de [email protected]
- 7ac621c [email protected]
- 218caca [email protected]
- ff6626a fix(docs): update npm-publish access flag info
- b6f40b5 [email protected]
- e9e5ee5 @ npmcli/[email protected]
- 991a3bd [email protected]
- f077724 [email protected]
- 68a19bb fix(error-message): look for er.path not er.file
- ff34d6c feat(cache): initial implementation of ls and rm
- 8183976 [email protected]
- df57f0d @ npmcli/[email protected]
- 487731c fix(logging): sanitize logged argv
- 7a58264 chore(ci): check that docs are up to date in ci
- 22f3bbb chore(docs): add more 'autogenerated' comments
- 4314490 fix(docs): revert auto-generated portion of docs
- 32e88c9 fix(did-you-mean): switch levenshtein libraries
- 59b9851 7.20.6
- 2591e67 update AUTHORS
Package name: superagent
The new version differs by 250 commits.- 3571754 v3.8.1
- 34b69c8 Bump
- 087edaf Clear auth on redirect
- 4108c34 npm@5
- 064b8b0 3.8.0
- b2708db Retry callback
- 383b308 Refactor shouldRetry
- 6bd9b31 indentation to match
- bba9773 log and test style
- bac9933 fn as optional param
- ff607e2 Add optional callback to retry
- 9b0d98d Changelog
- c808dd0 3.8.0-alpha.1
- 87516fc Also support events in global-ish agent
- 66aed34 Default settings for all agent requests
- 05d6c88 Authenticate request using username and password
- 06d7865 Extract common node/browser auth into request-base
- 104ccba Unify auth args handling in node/browser
- be5ab92 Handle errors in zlib pipe
- ef0a35b Merge pull request #1301 from visionmedia/es6
- 0dff890 Prettier
- d669860 ES6ify
- e8463f0 ES6ify Node tests
- cf98d3b Rephrase new documentation about error responses
Package name: webtask-tools
The new version differs by 2 commits.With a Snyk patch:
| Severity | Priority Score (*) | Issue | Exploit Maturity |
|---|---|---|---|
|
626/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.1 |
Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131 |
Proof of Concept |
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
Proof of Concept |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution npm:extend:20180424 |
No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
Proof of Concept |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:mime:20170907 |
No Known Exploit |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Regular Expression Denial of Service (ReDoS) npm:moment:20161019 |
No Known Exploit |
|
399/1000 Why? Has a fix available, CVSS 3.7 |
Regular Expression Denial of Service (ReDoS) npm:ms:20170412 |
No Known Exploit |
|
646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2... |
