chore(deps): Pin auth0 superagent version #6903

abshierjoel · 2024-06-26T21:29:41Z

Part of #1980

There is a vulnerability with superagent on versions before 9.X which results in the following warning:

warning auth0-js > [email protected]: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net

Superagent is a sub-dependency of auth0/auth0.js, which has not updated to a recent version. Superagent has not had a breaking change since v6 and everything looks to be good with Auth0. I have opened a PR with Auth0 to hopefully resolve the issue auth0/auth0.js#1445. But for the meantime I think we should pin the version, as we've done for qs. Movement in that repo appears to be very slow.

Checklist

Authors and Reviewer(s), please verify the following:

A PR description, regardless of the triviality of this change, that communicates the value of this PR
Well-formatted conventional commit messages that provide context into the change
Documentation updated or issue created (provide link to issue/PR)
Signed CLA (if not already signed)
Feature flagged, if applicable

wdoconnell · 2024-07-29T19:50:51Z

Will retry after CI fixes are in #6917

* build(deps): bump semver from 5.7.1 to 5.7.2 (#6756) Bumps [semver](https://github.com/npm/node-semver) from 5.7.1 to 5.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md) - [Commits](npm/node-semver@v5.7.1...v5.7.2) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chunchun <[email protected]> * build(deps): bump word-wrap from 1.2.3 to 1.2.4 (#6768) Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump @adobe/css-tools from 4.0.1 to 4.3.1 (#6795) Bumps [@adobe/css-tools](https://github.com/adobe/css-tools) from 4.0.1 to 4.3.1. - [Changelog](https://github.com/adobe/css-tools/blob/main/History.md) - [Commits](https://github.com/adobe/css-tools/commits) --- updated-dependencies: - dependency-name: "@adobe/css-tools" dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump postcss from 8.4.19 to 8.4.31 (#6815) Bumps [postcss](https://github.com/postcss/postcss) from 8.4.19 to 8.4.31. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.19...8.4.31) --- updated-dependencies: - dependency-name: postcss dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump @babel/traverse from 7.16.3 to 7.23.2 (#6820) Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.16.3 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump crypto-js from 4.1.1 to 4.2.0 (#6825) Bumps [crypto-js](https://github.com/brix/crypto-js) from 4.1.1 to 4.2.0. - [Commits](brix/crypto-js@4.1.1...4.2.0) --- updated-dependencies: - dependency-name: crypto-js dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump @adobe/css-tools from 4.3.1 to 4.3.2 (#6843) Bumps [@adobe/css-tools](https://github.com/adobe/css-tools) from 4.3.1 to 4.3.2. - [Changelog](https://github.com/adobe/css-tools/blob/main/History.md) - [Commits](https://github.com/adobe/css-tools/commits) --- updated-dependencies: - dependency-name: "@adobe/css-tools" dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump follow-redirects from 1.14.8 to 1.15.4 (#6849) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.8 to 1.15.4. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.14.8...v1.15.4) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump webpack-dev-middleware from 5.3.3 to 5.3.4 (#6878) Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4. - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md) - [Commits](webpack/webpack-dev-middleware@v5.3.3...v5.3.4) --- updated-dependencies: - dependency-name: webpack-dev-middleware dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump express from 4.18.2 to 4.19.2 (#6880) Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.19.2. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.18.2...4.19.2) --- updated-dependencies: - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump braces from 3.0.2 to 3.0.3 (#6895) * build(deps): bump braces from 3.0.2 to 3.0.3 Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * chore: empty commit --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chunchun <[email protected]> * build(deps): bump ws from 6.2.2 to 6.2.3 (#6897) * build(deps): bump ws from 6.2.2 to 6.2.3 Bumps [ws](https://github.com/websockets/ws) from 6.2.2 to 6.2.3. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@6.2.2...6.2.3) --- updated-dependencies: - dependency-name: ws dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * chore: empty commit --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chunchun <[email protected]> * chore(deps): Pin auth0 superagent version (#6903) * build(deps): bump micromatch from 4.0.5 to 4.0.8 (#6937) Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.5 to 4.0.8. - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](micromatch/micromatch@4.0.5...4.0.8) --- updated-dependencies: - dependency-name: micromatch dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump express from 4.19.2 to 4.21.0 (#6949) Bumps [express](https://github.com/expressjs/express) from 4.19.2 to 4.21.0. - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md) - [Commits](expressjs/express@4.19.2...4.21.0) --- updated-dependencies: - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump dompurify from 2.3.4 to 2.5.6 (#6950) Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.3.4 to 2.5.6. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@2.3.4...2.5.6) --- updated-dependencies: - dependency-name: dompurify dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update yarn.lock for oats and influxdb-templates (yarn install) * build(deps): bump http-proxy-middleware from 2.0.6 to 2.0.7 (#6966) Bumps [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) from 2.0.6 to 2.0.7. - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.7/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.6...v2.0.7) --- updated-dependencies: - dependency-name: http-proxy-middleware dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump nanoid from 3.2.0 to 3.3.8 (#6986) Bumps [nanoid](https://github.com/ai/nanoid) from 3.2.0 to 3.3.8. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.2.0...3.3.8) --- updated-dependencies: - dependency-name: nanoid dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: do not force focus on uses of monacotype support cmd (#6992) * chore: bump CI permitted retry, disable two flaky tests (#6919) chore: skip clone-and-immediately-activate-task-test chore: skip flaky scriptquery test * fix: correct tests to be handled by faster ci runner (#6911) * chore: add delay to tasks-searching test (#6913) * fix: flake in scriptquerybuilder, tasks e2es (#6917) --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chunchun <[email protected]> Co-authored-by: Joel Abshier <[email protected]> Co-authored-by: Bill O'Connell <[email protected]>

chore(deps): Pin auth0 superagent version

9f1cb90

abshierjoel requested a review from a team as a code owner June 26, 2024 21:29

abshierjoel requested a review from wdoconnell June 26, 2024 21:30

wdoconnell approved these changes Jul 26, 2024

View reviewed changes

wdoconnell added this pull request to the merge queue Jul 26, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 26, 2024

wdoconnell added this pull request to the merge queue Jul 29, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 29, 2024

wdoconnell added this pull request to the merge queue Jul 29, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 29, 2024

wdoconnell added this pull request to the merge queue Jul 29, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 29, 2024

wdoconnell added this pull request to the merge queue Jul 30, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 30, 2024

wdoconnell added this pull request to the merge queue Jul 30, 2024

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 30, 2024

wdoconnell added this pull request to the merge queue Jul 30, 2024

Merged via the queue into master with commit be7552b Jul 30, 2024
6 checks passed

wdoconnell deleted the chore/pin-auth0-superagent-version branch July 30, 2024 14:23

jdstrand pushed a commit that referenced this pull request Jan 23, 2025

chore(deps): Pin auth0 superagent version (#6903)

21db5aa

jdstrand mentioned this pull request Jan 23, 2025

chore: cherry-pick dependabot updates from master #6995

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): Pin auth0 superagent version #6903

chore(deps): Pin auth0 superagent version #6903

Uh oh!

abshierjoel commented Jun 26, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

wdoconnell commented Jul 29, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(deps): Pin auth0 superagent version #6903

chore(deps): Pin auth0 superagent version #6903

Uh oh!

Conversation

abshierjoel commented Jun 26, 2024

Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!

wdoconnell commented Jul 29, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!