auth0
auth0-lock depends on vulnerable versions of dompurify
Checklist
- [x] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- [x] I have searched the issues and have not found a suitable solution or answer.
- [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- [x] I agree to the terms within the Auth0 Code of Conduct.
Description
# npm audit report
dompurify <3.2.4
Severity: moderate
DOMPurify allows Cross-site Scripting (XSS) - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dompurify
auth0-lock >=11.30.1
Depends on vulnerable versions of dompurify
node_modules/auth0-lock
2 moderate severity vulnerabilities
Reproduction
npm i auth0-locknpm audit
Additional context
No response
Lock version
13.0.0
Which browsers have you tested in?
Chrome
Hi @jacekkoziol,
We’ve just released a new major version that includes the security fix.
Please give it a try and let us know if everything works as expected. Thank you again for reporting the issue — we really appreciate it!
Best,
https://cdn.auth0.com/js/lock/14.0.0/lock.min.js - returns AccessDenied @developerkunal
Hi @FenPWysocki,
We’ve just fixed our pipelines, and everything is working fine now. Please take a look when you get a chance. Thanks again for raising this issue!
@jacekkoziol @FenPWysocki
Thanks again for reporting this. As mentioned earlier by @developerkunal , the issue has been resolved on our end, and everything is working as expected now. We'll go ahead and close this issue.
Feel free to reach out if anything else comes up!
