Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore!: Fix dependency security issues #114

Merged
merged 10 commits into from
Feb 9, 2021
Merged

chore!: Fix dependency security issues #114

merged 10 commits into from
Feb 9, 2021

Conversation

tomauth0
Copy link
Contributor

@tomauth0 tomauth0 commented Jan 22, 2021
edited
Loading

Description

  • Resolves all critical and high npm-audit issues by updating dependancies:
    • xml-crypto (1.5.3 -> 2.0.0) This version removes support for HMAC by default, which is unsupported by this library - security fix
    • saml (0.15.0-rc.0 -> 1.0.0) Removes support for node <v10 - security fix
    • Dev dependancies:
      • express (3.11.0 -> 4.17.1) Major release that changes API footprint - security fix, removes support for node <v10
      • mocha (1.8.1 -> 8.2.1) Major release that changes API footprint - security fix, removes support for node <v10
      • Locks cheerio-select version to fix test issues.
      • Small refactor of server.js to support newer express version.

BREAKING CHANGE: This removes support for node versions 4, 6 & 8 - newer versions of mocha use async/await, causing tests to fail in older versions.

References

Addressing Issues:
#106
#107

Addressing issues resolved in other PRs:
#109

Testing

No functional changes introduced

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

luuuis
luuuis previously approved these changes Jan 29, 2021
View reviewed changes
Copy link
Contributor

@luuuis luuuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Ideally the CHANGELOG.md would be updated after merging into master and when making the first release from there.

@luuuis luuuis changed the title chore!: Fix dependancy security issues chore!: Fix dependency security issues Jan 29, 2021
@ziluvatar
Copy link
Contributor

I can see major upgrades on xml-crypto (direct dependency + saml dependency) and xml-encryption (saml dependency).

Could you mention what were the breaking changes in those libs? Would they affect the consumers of this library in any way (just in case we need to modify README with migration steps or similar)

@tomauth0 tomauth0 merged commit 26bb934 into master Feb 9, 2021
@tomauth0 tomauth0 deleted the npm-audit-fix branch February 9, 2021 10:13
This was referenced Feb 10, 2021
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luuuis luuuis luuuis approved these changes

@ziluvatar ziluvatar ziluvatar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tomauth0 @ziluvatar @luuuis