auth0-authorization-extension
auth0-authorization-extension copied to clipboard
auth0
[Snyk] Fix for 30 vulnerabilities
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
- Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- package.json
- package-lock.json
Vulnerabilities that will be fixed
With an upgrade:
| Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity |
|---|---|---|---|---|
 |
619/1000 Why? Has a fix available, CVSS 8.1 |
Prototype Pollution SNYK-JS-AJV-584908 |
Yes | No Known Exploit |
 |
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-COOKIEJAR-3149984 |
Yes | Proof of Concept |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Arbitrary File Overwrite SNYK-JS-FSTREAM-174725 |
Yes | No Known Exploit |
|
584/1000 Why? Has a fix available, CVSS 7.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852 |
Yes | No Known Exploit |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355 |
Yes | Proof of Concept |
|
644/1000 Why? Has a fix available, CVSS 8.6 |
Prototype Pollution SNYK-JS-JSONSCHEMA-1920922 |
Yes | No Known Exploit |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Denial of Service (DoS) SNYK-JS-JSYAML-173999 |
Yes | No Known Exploit |
|
619/1000 Why? Has a fix available, CVSS 8.1 |
Arbitrary Code Execution SNYK-JS-JSYAML-174129 |
Yes | No Known Exploit |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905 |
No | Proof of Concept |
|
681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2 |
Command Injection SNYK-JS-LODASH-1040724 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-450202 |
No | Proof of Concept |
|
731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2 |
Prototype Pollution SNYK-JS-LODASH-567746 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-608086 |
No | Proof of Concept |
|
686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3 |
Prototype Pollution SNYK-JS-LODASH-73638 |
No | Proof of Concept |
|
541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639 |
No | Proof of Concept |
|
479/1000 Why? Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818 |
Yes | No Known Exploit |
 |
506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7 |
Prototype Pollution SNYK-JS-MINIMIST-2429795 |
Yes | Proof of Concept |
|
601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6 |
Prototype Pollution SNYK-JS-MINIMIST-559764 |
Yes | Proof of Concept |
|
589/1000 Why? Has a fix available, CVSS 7.5 |
Directory Traversal SNYK-JS-MOMENT-2440688 |
Yes | No Known Exploit |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-MOMENT-2944238 |
Yes | Proof of Concept |
|
586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067 |
No | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Prototype Poisoning SNYK-JS-QS-3153490 |
Yes | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795 |
Yes | Proof of Concept |
|
726/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.1 |
Arbitrary File Overwrite SNYK-JS-TAR-174125 |
Yes | Proof of Concept |
|
524/1000 Why? Has a fix available, CVSS 6.2 |
Regular Expression Denial of Service (ReDoS) npm:brace-expansion:20170302 |
Yes | No Known Exploit |
|
579/1000 Why? Has a fix available, CVSS 7.3 |
Prototype Pollution npm:extend:20180424 |
Yes | No Known Exploit |
|
636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3 |
Prototype Pollution npm:hoek:20180212 |
Yes | Proof of Concept |
|
696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5 |
Regular Expression Denial of Service (ReDoS) npm:sshpk:20180409 |
Yes | Proof of Concept |
|
646/1000 Why? Mature exploit, Has a fix available, CVSS 5.2 |
Uninitialized Memory Exposure npm:stringstream:20180511 |
Yes | Mature |
|
509/1000 Why? Has a fix available, CVSS 5.9 |
Regular Expression Denial of Service (ReDoS) npm:tough-cookie:20170905 |
Yes | No Known Exploit |
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: auth0
The new version differs by 207 commits.- c2f18fd Merge pull request #482 from davidpatrick/prepare/2.25.0
- 992fcf1 Release v2.25.0
- b20b54d Merge pull request #481 from auth0/davidpatrick-patch-1
- c19f29b Npm audit
- 7bc4a43 Fix typos
- 32f0001 Merge pull request #475 from davidpatrick/deprecate-request
- 41962eb Migrate to Axios
- 43b33a1 Merge pull request #473 from akvamalin/update-documentation
- 3724e52 Update getRulesConfigs docs to include callback
- 7859f69 [Security] Bump acorn from 6.2.1 to 6.4.1
- 0a2fff0 Merge pull request #468 from davidpatrick/prepare/2.24.0
- 01beb4c Release v2.24.0
- 4235906 Fix type of upsert and send_completion_email
- 057063f Mark upsert and send_completion_email are optional
- 6aaf3b9 Mark users and users_json are optional
- e4954aa Fix name and description of connection_id
- 6ebfd6c Illustrate alternative way to specify users in example
- 964ded0 Remove optional parameter from example
- 577ca68 Fix method name in jsdoc of JobsManager#errors
- b2b3b06 Update jsdoc of ManagementClient#importUsers
- c1b4ea4 Merge pull request #465 from davidpatrick/passwordless-secret
- 58ba5e1 Merge branch 'master' into passwordless-secret
- d89574e Fixes test on supportedAlgorithms
- fcd099f Add client secret to options for passwordless
Package name: blipp
The new version differs by 38 commits.- bcc572a v4.0.0 (#42)
- 361ee7e 3.1.3
- 7362274 Updated hoek dep (#40)
- 467c34a 3.1.2
- 278f9bb Merge pull request #38 from Dennis-Emmental/master
- 60fa7e4 ignore queueMicrotask leak
- 38ddb6d modify printing scope information format and add test cases
- 2ada053 Fix displaying auth scope
- d8143dc update example
- b9557e1 Merge pull request #36 from danielb2/examples
- d7116b9 add example of using the plugin directly
- 8a9e684 add examples folder and update readme
- 07d05a5 3.1.1
- 33d1a0f 3.1.0
- ec79d93 Merge pull request #34 from danielb2/daniel/table
- b239a71 format display using easy-table
- a4e04b9 Merge pull request #32 from Y-LyN-10/master
- d1ec8dc Added "showScope" feature to the docs
- 98e2744 Merge pull request #31 from Y-LyN-10/feat.showscope
- 4e867be Updated lab version to the latest (16.x.x)
- 1ddad24 Added feature to show scope and tests
- 67cfe16 Updated dependencies due to vulnerable packages (npm audit fix)
- 68b9266 Update README.md
- 2327ecc 3.0.0
Package name: hapi-auth-jwt2
The new version differs by 81 commits.- 4bcae9e Final Dependency Update for Hapi v.16-compatible Apps. No Code changed. See: https://github.com/dwyl/hapi-auth-jwt2/issues/255 preparing for Hapi v.17
- 232ee57 explicitly remove support for node v.4 from package.json (min is v6 now as per .travis.yml) see: https://github.com/dwyl/hapi-auth-jwt2/issues/257
- 59cdc94 update version of Hapi to v16.6.2 to test with *Final* version of v16 "stream" before updating to v17 see: https://github.com/dwyl/hapi-auth-jwt2/issues/255#issuecomment-356415709
- e90bdd1 adds node.js version 8 & 9 to .travis.yml to test the *latest* node versions on CI fixes https://github.com/dwyl/hapi-auth-jwt2/issues/257
- faf7805 remove node.js v.4 from .travis.yml as per https://github.com/dwyl/hapi-auth-jwt2/issues/255#issuecomment-356409619
- eec2ee6 update version of boom to 6.0.0 for #255
- aacc9a5 update version of jsonwebtoken dependency to latest version (8.1.0) for https://github.com/dwyl/hapi-auth-jwt2/issues/255
- f2560e6 Merge pull request #241 from nrotta/master
- e4ba8f1 Returns 'Expired token' when trying to authenticate with an expired token
- b8f62ac Merge pull request #236 from dwyl/update-hapi-version
- f5f9199 maintenance update: version of dependencies to latest. no code changed. https://github.com/dwyl/hapi-auth-jwt2/issues/242
- 9a8d654 Merge branch 'update-hapi-version' of github.com:dwyl/hapi-auth-jwt2 into update-hapi-version
- 9c96080 update version of Hapi to 16.4.3 fixes https://github.com/dwyl/hapi-auth-jwt2/issues/235
- 34f8db4 Merge branch 'master' into update-hapi-version
- b365d2c update version of boom to 5.1.0 fixes https://github.com/dwyl/hapi-auth-jwt2/issues/242
- ad6cb16 Added/fixed test removed in #166
- 969ece2 update versions of devDependencies to latest for https://github.com/dwyl/hapi-auth-jwt2/issues/235
- b5906c9 update version of Hapi (in devDependencies) to latest 16.1.1 for https://github.com/dwyl/hapi-auth-jwt2/issues/235
- 2307a92 update version of Hapi (in devDependencies) to latest 16.1.1 for https://github.com/dwyl/hapi-auth-jwt2/issues/235
- 9abe5b3 Merge pull request #221 from dwyl/add-CONTRIBUTING.md-file
- 1c1f059 :memo: adds CONTRIBUTING.md file so everyone knows how to contribute! :tada: fixes https://github.com/dwyl/hapi-auth-jwt2/issues/212
- e96665a Merge pull request #216 from dwyl/update-devDependency-on-Hapi-to-v16
- fa5b3be update hapi version compatibility in the readme to v16
- 1dee895 update devDependency on Hapi to v16. confirms that no update to code is required. #215
Package name: joi
The new version differs by 250 commits.- b3833c4 17.1.1
- ed5990a Fix domain validation in relative uri. Closes #2316
- 1d1fd3f Merge pull request #2314 from jsoref/api-schema-object-foo-number-min-error
- c4d072b Update API.md - correct sample - fails because is gone
- b0ab57c Merge pull request #2305 from cbebry/patch-1
- d9738fb Update API.md - valid() no longer takes arrays
- 6ec7131 Merge pull request #2293 from hapijs/consider-changeless-forks
- e9f1865 Fix error on changeless forks. Fixes #2292.
- a9b5c3c Merge pull request #2281 from moonthug/patch-1
- 17118ce Fix example joi extension
- 48a3006 17.1.0
- 2417a42 Better annotate handling. isError. Closes #2279. Closes #2280
- 26206ed Merge pull request #2278 from Bjorn248/master
- 9768802 fix typo in LICENSE
- 8d72fac 17.0.2
- 038854b Consistent keys term. Closes #2269
- a7102c6 17.0.1
- 90a2b19 Move flag back to proto. Closes #2268
- 86636f3 17.0.0
- 9acff1d Update deps. Closes #2263
- 3bcab3a Move annotate() our of browser. Closes #2261
- c75a8f0 Merge branch 'master' of github.com:hapijs/joi
- 057248b Clarify rename(). For #2216
- fa9dd37 Merge pull request #2259 from nwhitmont/master
Package name: jsonwebtoken
The new version differs by 10 commits.- f313850 8.0.0
- f38bd8e updated changelog
- 2ec3263 Merge pull request #393 from ziluvatar/migration-notes-to-readme
- 12cd8f7 docs: readme, migration notes
- cfc04a9 Merge pull request #349 from ziluvatar/fix-max-age-number-and-seconds
- 3305cf0 verify: remove process.nextTick (#302)
- 0be5409 Reduce size of NPM package (#347)
- 2e7e68d Remove joi to shrink module size (#348)
- 66a4f8b maxAge: Add validation to timespan result
- b61cc34 maxAge: Fix logic with number + use seconds instead of ms
Package name: jwks-rsa
The new version differs by 121 commits.- 26e2fa3 Merge pull request #137 from auth0/davidpatrick-patch-1
- a9c179f Update package-lock.json
- 02d6e80 Release 1.8.0 (#136)
- 8cc9410 Added timeout with default value of 30s (#132)
- 1ec5217 Migrate from Request (#135)
- a3ba52e Allow JWT to not contain a "kid" value (#55)
- 398c05e Merge pull request #130 from auth0/prepare/1.7.0
- be9600a Release 1.7.0
- d0c5787 Merge pull request #129 from auth0/fix-linter-issues
- d122f08 fix linter issues
- 31177e3 Merge pull request #125 from Ogdentrod/feat/add-proxy
- 51d99e9 Merge branch 'master' into feat/add-proxy
- 5fc0f15 Merge pull request #128 from auth0/lbalmaceda-patch-1
- 6d304e5 Send the explicit commit SHA to Codecov
- 70efc54 Merge branch 'feat/add-proxy' of github.com:Ogdentrod/node-jwks-rsa into feat/add-proxy
- bc915d7 test: better testing for proxy
- 0988ccc Merge branch 'master' into feat/add-proxy
- b8ffdb6 Merge pull request #127 from auth0/add-ci
- 6663fc2 add badges to the README
- 7650ecb add CircleCI build and generate coverage
- c7c7ba5 feat: add proxy option to jwksClient
- 73a087d Merge pull request #123 from auth0/cacheChanges
- 17e83df Modify Cache Defaults
- 998a32d Merge pull request #121 from auth0/prepare-release
Package name: npm
The new version differs by 250 commits.- 3b4ba65 7.0.0
- bbfc75d chore: fix weird .gitignore thing that happened somehow
- 8a2d375 docs: changelog for v7.0.0
- 365f2e7 [email protected]
- fafb348 [email protected]
- 9306c68 [email protected]
- 569cd64 [email protected]
- ac9fde7 Integration code for @ npmcli/[email protected]
- 704b9cd @ npmcli/[email protected]
- 3955bb9 [email protected]
- da240ef fix: patch config.js to remove duplicate values
- 9ae45a8 [email protected]
- 41ab36d [email protected]
- c474a15 [email protected]
- efc6786 fix: make sure publishConfig is passed through
- 1e4e6e9 docs: v7 using npm config refresh
- 5c1c2da fix: init config aliases
- 5bc7eb2 docs: v7 npm-install refresh
- 1a35d87 7.0.0-rc.4
- 7a5a557 docs: changelog for v7.0.0-rc.4
- f0cf859 chore: dedupe deps
- 0273745 [email protected]
- 7bd47ca @ npmcli/[email protected]
- 9320b8e only escape arguments, not the command name
Package name: webtask-tools
The new version differs by 2 commits.Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution 🦉 Regular Expression Denial of Service (ReDoS) 🦉 Arbitrary Code Execution 🦉 More lessons are available in Snyk Learn
