Please upgrade axios to >1.6.0

[FauxFaux]

Checklist

• I have looked into the Readme and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

There's a security vulnerability in axios 0.x and 1.x < 1.6.

This library depends on axios 0.27:

passport-auth0/package.json

Line 20 in 25d2661

"axios": "^0.27.2",

Describe the ideal solution

Please move to an http client without a vuln, easiest is probably axios 1.6.0.

Alternatives and current workarounds

No response

Additional context

No response

[frederikprijck]

Thanks, will look into updating this.

[frederikprijck]

Released as 1.4.4, thanks for reporting!

[FauxFaux]

Haha, resolved before I'd finished reading the list of affected packages. Great work. :)

[Bharts8]

Perhaps this should have been a minor change instead of just a patch, due to axios moving from commonJS to ES between these two versions. Maybe it is not relevant, but we did see some legacy stuff fall over after pulling 1.4.4 so leaving this comment for posterity.

[frederikprijck]

Typically i wouldnt disagree, but in this case there is no option to stick to any other axios version. As its a high vulnerability, i wanted to ensure this gets out to as many as possible.

Maybe it's worth dropping axios altogether, as we only use it in one place, which is deprecated anyway.

Can you elaborate what fell apart and did you solve it or did you pin to an older version of our SDK?

Looking at the readme, it does look like it still supports commonjs tho? https://github.com/axios/axios

[frederikprijck]

@Bharts8 I looked into this, and was not able to reproduce this. Would appreciate some more information to help understand scenario's where this would break.

What I did was, i took this project, and migrated it to use the latest version of passport-auth0 and was still able to successfully run the application and use the SDK, including the deprecated method that actually uses axios.

I assume you are using something that does not support the exports fields in package.json, which is correctly set to commonjs for axios: https://github.com/axios/axios/blob/v1.x/package.json#L6-L20. Instead, I assume your tooling is picking up index.js because of the main field in package.json: https://github.com/axios/axios/blob/v1.x/package.json#L5

Can you share some information about the tooling involved? Mostly node version or module loaders.

[Bharts8]

Yea after a little more digging there are other issues that really exacerbated that legacy stuff. The reliance on a completely outdated node version was probably the more sinister culprit that just exposed this the underlying import in pasport-auth0 which blew out for us.

I don't think you need to specifically do anything (though it'd be interesting to see if there WERE any breaking changes between a 0.X and a 1.X just in case, but it doesn't seem like it). At this point this is more so just putting in a comment for the next person who comes sniffing if their builds start coughing, giving them someplace to look at.