auth0-authorization-extension
auth0-authorization-extension copied to clipboard
auth0
[Do not merge] Minimal hapi upgrade experiment
βοΈ Changes
DESCRIPTION GOES HERE. Try to describe both what is changing and why this is important
- Make sure you run when adding / updating a package
- What did you change from a design standpoint?
- What did you change in the code itself?
- If you are updating a dependency, explain why this is needed.
π· Screenshots
If there were visual changes to the application with this change, please include before and after screenshots here. If it has animation, please use screen capture software like to make a gif.
π References
Include at at least one link to an explanation + requirements for this change, and more if at all possible. Typically this is a Jira/GitHub Issue, but could also be links to Zendesk tickets, RFCs, rollout plan or Slack conversations (for Slack conversations, make sure you provide a summary of the conversation under βChangesβ).
π― Testing
Describe how this can be tested by reviewers. Please be specific about anything not tested and reasons why.
- Make sure you add unit and integration tests.
- If this is on a hot path, add load or performance tests
- Especially for dependency updates we also need to make sure that there is no impact on performance.
β π« This change has been tested in a Webtask
β π« This change has unit test coverage
β π« This change has integration test coverage
β π« This change has been tested for performance
π Deployment
Can this change be merged at any time? What will the deployment of the change look like? Does this need to be released in lockstep with something else?
β π« This can be deployed any time
or β οΈ This should not be merged until:
- Other PR is merged because REASON
- After date because REASON
- Other condition: REASON
π‘ Rollout
Explain how the change will be verified once released. Manual testing? Functional testing?
In order to verify that the deployment was successful we will β¦
π₯ Rollback
Explain when and why we will rollback the change.
We will rollback if β¦
π Procedure
Explain how the rollback for this change will look like, how we can recover fast.
π₯ Appliance
Note to reviewers: ensure that this change is compatible with the Appliance.
Semgrep found 1 ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6 finding:
- package-lock.json: L22913
Risk: Affected version of handlebars is vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection') / Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The vulnerability allows for Prototype Pollution, potentially leading to Remote Code Execution, as templates can modify an object's __proto__ and __defineGetter__ properties, enabling attackers to execute arbitrary code using specially crafted payloads.
Fix: Upgrade this library to at least version 4.3.0 at auth0-authorization-extension/package-lock.json:22913.
Reference(s): https://github.com/advisories/GHSA-w457-6q6x-cgp9, CVE-2019-19919
Ignore this finding from ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6.Semgrep found 1 ssc-65a2e86a-8a34-49df-84cd-7cabdd12116b finding:
- package-lock.json: L19375
Risk: npm 6.x before 6.13.4 is vulnerable to improper limitation of a pathname to a restricted directory ('path traversal'). Affected versions will overwrite globally-installed package binaries without user interaction, as well as ignoring the explicit --ignore-scripts install option. Upgrade to npm 6.13.4.
Fix: Upgrade this library to at least version 6.13.4 at auth0-authorization-extension/package-lock.json:19375.
Reference(s): https://github.com/advisories/GHSA-4328-8hgf-7wjr, CVE-2019-16777
Ignore this finding from ssc-65a2e86a-8a34-49df-84cd-7cabdd12116b.Semgrep found 1 ssc-20e23dff-ba75-4719-8048-9a1ded0967b5 finding:
- package-lock.json: L19375
Risk: npm 6.x before 6.13.3 is vulnerable to improper link resolution before file access ('link following'). A malicious package may use the bin field to write files with the permissions of the npm process outside of node_modules. This cannot overwrite existing files. Upgrade to npm 6.13.3.
Fix: Upgrade this library to at least version 6.13.3 at auth0-authorization-extension/package-lock.json:19375.
Reference(s): https://github.com/advisories/GHSA-m6cx-g6qm-p2cx, CVE-2019-16775
Ignore this finding from ssc-20e23dff-ba75-4719-8048-9a1ded0967b5.Semgrep found 1 ssc-b4a210b5-93e0-4df0-8a99-fea9553da8f2 finding:
- package-lock.json: L19375
Risk: npm 6.x before 6.13.3 is vulnerable to improper limitation of a pathname to a restricted directory ('path traversal'). Affected versions of NPM do not prevent package authors from generating symlinks outside of the node_modules folder, allowing a malicious package author to symlink to arbitrary files on package install. Upgrade to npm 6.13.3.
Fix: Upgrade this library to at least version 6.13.3 at auth0-authorization-extension/package-lock.json:19375.
Reference(s): https://github.com/advisories/GHSA-x8qc-rrcw-4r46, CVE-2019-16776
Ignore this finding from ssc-b4a210b5-93e0-4df0-8a99-fea9553da8f2.Semgrep found 1 ssc-1606921e-eb4c-4a25-bcec-3cbfbc985ee1 finding:
- package-lock.json: L21994
Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.
Fix: Upgrade this library to at least version 0.5.1 at auth0-authorization-extension/package-lock.json:21994.
Reference(s): https://github.com/advisories/GHSA-hr2v-3952-633q, CVE-2018-3750
Ignore this finding from ssc-1606921e-eb4c-4a25-bcec-3cbfbc985ee1.![semgrep-app[bot] avatar](https://avatars.githubusercontent.com/in/60555?v=4 "Published by a pub.dev verified publisher"){kind=small}