Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.2.6 #1021

Closed
wants to merge 1 commit into from
Closed

[Snyk] Upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.2.6 #1021

wants to merge 1 commit into from
+67 −22

Conversation

edwardsph
Copy link
Contributor

snyk-top-banner

Snyk has created this PR to upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.2.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 8 versions ahead of your current version.

  • The recommended version was released on 2 months ago.

Release notes
Package name: @inrupt/solid-client-authn-browser
  • 2.2.6 - 2024-09-18

    node and browser

    • Repository URL in package.json updated to set the repository.type property to git. This intends at
      restoring the previous behavior of npm view @ inrupt/solid-client-authn repository.url, expected to return
      git+https://github.com/inrupt/solid-client-authn-js.git.

    Full Changelog: v2.2.5...v2.2.6

  • 2.2.5 - 2024-09-16

    New Features

    • Node 22 is now supported

    Full Changelog: v2.2.4...v2.2.5

  • 2.2.4 - 2024-06-24

    Bugfixes

    node and browser

    • The clientAppId property is now correctly set in the ISessionInfo objects returned by the handleIncomingRedirect function in ClientAuthentication and in the Session class.

    node

    • The keepAlive option (introduced in v2.2.0) is now correctly observed in a script using the Client Credentials flow (i.e. using a clientId and a clientSecret to log in). It previously was disregarded, and the Session always self-refreshed in the background

    Full Changelog: v2.2.3...v2.2.4

  • 2.2.3 - 2024-06-20

    Bugfix

    node and browser

    • Fix parsing clientId from ID Token azp claim: the parsing of the ID Token payload was not correctly extracting the clientId from the azp claim. As a result, session.info.clientAppId was not being initialised upon successful login, which prevented the idp logout of the session from working as expected.

    Full Changelog: v2.2.2...v2.2.3

  • 2.2.2 - 2024-06-18

    Bugfix

    node

    • Maintain token type in getSessionIdFromStorage: When loading a session from storage on the server
      (using getSessionIdFromStorage), the token type (i.e. DPoP-bound or not, referred to as Bearer) is
      now consistent with the token type initially associated with the session. Previously, regardless of
      the token type requested when logging the session in, the token type defaulted to DPoP when logging
      the session back in on load from storage, causing authentication issues.

    Full Changelog: v2.2.1...v2.2.2

  • 2.2.1 - 2024-06-05

    Bugfix

    browser

    • Fix #3518: Prevent refresh token from being persisted in local storage.

    New Contributors

    Full Changelog: v2.2.0...v2.2.1

  • 2.2.0 - 2024-05-03

    New Feature

    node

    • It is now possible to prevent a Session self-refreshing in NodeJS. To do so, a new
      parameter is added to the constructor: Session({ keepAlive: false }). This prevents
      the Session setting a callback to refresh the Access Token before it expires, which
      could cause a memory leak in the case of a server-side application with many users.
      It also avoids unnecessary requests being sent to the OpenID Provider.
  • 2.1.0 - 2024-03-14

    New Feature

    node and browser

    • OpenID Providers with multiple JWK in their JWKS are now supported. Thanks to
      @ pavol-brunclik-compote for the original contribution.

    node

    • Authorization code flow for statically registered clients is now supported. Statically registered
      clients previously defaulted to the Client Credentials flow, it is no longer an assumption.

    Bugfix

    browser

    • Fix non-DPoP bound tokens support in browser: a bug in the handling of non-DPoP-bound tokens was
      preventing the auth code grant to complete, with a 401 to the OpenId Provider Token Endpoint
      observed on redirect after the user authenticated. It is now possible to do
      session.login({/*...*/, tokenType: "Bearer"}) and get a successful result.
  • 2.0.0 - 2023-12-20

    Breaking Changes

    • Node 16 is no longer supported. The global fetch function is used instead of @ inrupt/universal-fetch.
      This means this library now only works with Node 18 and higher.
    • The Session class no longer extends EventEmitter. Instead, it exposes an events attribute implementing
      EventEmitter. We do not recommend to use Session instance's events attribute as an arbitrary events emitter,
      and encourage users to only use the supported events and documented API.
    • Session methods onLogin, onLogout, onError, onSessionRestore, onSessionExpiration and onNewRefreshToken
      have been removed. They are replaced by calls to session.events.on, using the appropriate event name.
    • Session constructor changes:
      • the onNewRefreshToken parameter is no longer supported. Its usage is replaced by calling session.events.on
        using the EVENTS.NEW_REFRESH_TOKEN constant as a first parameter, and a callback handling the token as a
        second parameter.
      • The useEssSession parameter is no longer supported.
    • The getClientAuthenticationWithDependencies is no longer exported as part of the public API, and is now internal-only.
    • The UMD build of @ inrupt/oidc-client-ext is no longer available. Since this is a package only intended to be
      consumed by @ inrupt/solid-client-authn-browser, which doesn't have a UMD build, this change should have no
      impact.

    Build system changes

    • Moved from rollup-plugin-typescript2 to @ rollup/plugin-typescript. Although this should not be a breaking change,
      upgrading may require extra attention.
from @inrupt/solid-client-authn-browser GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.2.6
f010621 
Snyk has created this PR to upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.2.6.

See this package in npm:
@inrupt/solid-client-authn-browser

See this project in Snyk:
https://app.snyk.io/org/engineering-CGCiXj96RbVotntN7wcPgV/project/cd1ebe52-e569-4546-b6fc-0450503c131a?utm_source=github&utm_medium=referral&page=upgrade-pr
@edwardsph edwardsph requested a review from a team as a code owner November 15, 2024 16:28
@vercel Vercel
Copy link

vercel bot commented Nov 15, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
solid-ui-react ❌ Failed (Inspect) Nov 15, 2024 5:59pm

@NSeydoux
Copy link
Contributor

This library is being sunset.

@NSeydoux NSeydoux closed this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@edwardsph @NSeydoux @snyk-bot