From 0c2a3b4a69e0c04913731adcb557b35b424d2b0a Mon Sep 17 00:00:00 2001 From: Armen Zambrano G <> Date: Fri, 5 Apr 2019 16:45:21 -0400 Subject: [PATCH] Upgrade auth0-js for security concerns I pinned the specific version because later versions have a bug. For full details see: https://nvd.nist.gov/vuln/detail/CVE-2018-7307 CVE-2018-7307 More information moderate severity Vulnerable versions: < 9.3.0 Patched version: 9.3.0 The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks. --- package.json | 2 +- yarn.lock | 32 +++++++++++++++++++++++++------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/package.json b/package.json index a6a86c7..ac07c0d 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "@material-ui/core": "^3.9.2", "@material-ui/icons": "^3.0.1", "@mozilla-frontend-infra/components": "^2.0.0", - "auth0-js": "9.2.3", + "auth0-js": "9.6.1", "chart.js": "^2.7.3", "mitt": "^1.1.3", "moment": "^2.23.0", diff --git a/yarn.lock b/yarn.lock index cf79e9c..60c187d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1418,13 +1418,14 @@ atob@^2.1.1: resolved "https://registry.yarnpkg.com/atob/-/atob-2.1.2.tgz#6d9517eb9e030d2436666651e86bd9f6f13533c9" integrity sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg== -auth0-js@9.2.3: - version "9.2.3" - resolved "https://registry.yarnpkg.com/auth0-js/-/auth0-js-9.2.3.tgz#f98650a742c83567e887703c5972d0c7275e403d" - integrity sha1-+YZQp0LINWfoh3A8WXLQxydeQD0= +auth0-js@9.6.1: + version "9.6.1" + resolved "https://registry.yarnpkg.com/auth0-js/-/auth0-js-9.6.1.tgz#908e1bc5e9a7c6f787b019ad53d7688caaa2f48e" + integrity sha1-kI4bxemnxveHsBmtU9dojKqi9I4= dependencies: base64-js "^1.2.0" - idtoken-verifier "^1.1.1" + idtoken-verifier "^1.2.0" + js-cookie "^2.2.0" qs "^6.4.0" superagent "^3.8.2" url-join "^1.1.0" @@ -4417,7 +4418,7 @@ icss-utils@^2.1.0: dependencies: postcss "^6.0.1" -idtoken-verifier@^1.1.1: +idtoken-verifier@^1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/idtoken-verifier/-/idtoken-verifier-1.2.0.tgz#4654f1f07ab7a803fc9b1b8b36057e2a87ad8b09" integrity sha512-8jmmFHwdPz8L73zGNAXHHOV9yXNC+Z0TUBN5rafpoaFaLFltlIFr1JkQa3FYAETP23eSsulVw0sBiwrE8jqbUg== @@ -5327,6 +5328,11 @@ jest@^23: import-local "^1.0.0" jest-cli "^23.6.0" +js-cookie@^2.2.0: + version "2.2.0" + resolved "https://registry.yarnpkg.com/js-cookie/-/js-cookie-2.2.0.tgz#1b2c279a6eece380a12168b92485265b35b1effb" + integrity sha1-Gywnmm7s44ChIWi5JIUmWzWx7/s= + js-levenshtein@^1.1.3: version "1.1.4" resolved "https://registry.yarnpkg.com/js-levenshtein/-/js-levenshtein-1.1.4.tgz#3a56e3cbf589ca0081eb22cd9ba0b1290a16d26e" @@ -5988,7 +5994,19 @@ miller-rabin@^4.0.0: resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.37.0.tgz#0b6a0ce6fdbe9576e25f1f2d2fde8830dc0ad0d8" integrity sha512-R3C4db6bgQhlIhPU48fUtdVmKnflq+hRdad7IyKhtFj06VPNVdk2RhiYL3UjQIlso8L+YxAtFkobT0VK+S/ybg== -mime-types@^2.1.12, mime-types@~2.1.17, mime-types@~2.1.18, mime-types@~2.1.19: +mime-db@~1.38.0: + version "1.38.0" + resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.38.0.tgz#1a2aab16da9eb167b49c6e4df2d9c68d63d8e2ad" + integrity sha512-bqVioMFFzc2awcdJZIzR3HjZFX20QhilVS7hytkKrv7xFAn8bM1gzc/FOX2awLISvWe0PV8ptFKcon+wZ5qYkg== + +mime-types@^2.1.12: + version "2.1.22" + resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.22.tgz#fe6b355a190926ab7698c9a0556a11199b2199bd" + integrity sha512-aGl6TZGnhm/li6F7yx82bJiBZwgiEa4Hf6CNr8YO+r5UHr53tSTYZb102zyU50DOWWKeOv0uQLRL0/9EiKWCog== + dependencies: + mime-db "~1.38.0" + +mime-types@~2.1.17, mime-types@~2.1.18, mime-types@~2.1.19: version "2.1.21" resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.21.tgz#28995aa1ecb770742fe6ae7e58f9181c744b3f96" integrity sha512-3iL6DbwpyLzjR3xHSFNFeb9Nz/M8WDkX33t1GFQnFOllWk8pOrh/LSrB5OXlnlW5P9LH73X6loW/eogc+F5lJg==