Update idtoken-verifier to 2.1.2

[stevehobbsdev]

Changes

This PR updates to idtoken-verifier@2.1.2 to fix an issue in
crypto-js@4.0.0 that requires a native Crypto module to be present. This
effectively reverts to crypto-js@3.3.0 while we determine a long-term fix.

References

Fixes #1181

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds unit test coverage
• This change adds integration test coverage

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All tests and linters described in the Develop section run without errors

[MengRS]

I could be wrong, but the following states that crypto-js 3.3.0 is still vulnerable: https://snyk.io/vuln/SNYK-JS-CRYPTOJS-548472

[stevehobbsdev]

@MengRS You would be correct. We cannot upgrade just yet as it has an adverse effect upstream and as mentioned in the PR, we are still determining the best course of action. However, we've done an internal security audit and we do not use any of the API in crypto-js that has been considered vulnerable; we're interested in upgrading more for the optics of using a dependency with published vulnerabilities.

Hope that helps