Skip to content
This repository has been archived by the owner on May 6, 2021. It is now read-only.

[Security] Bump next-auth from 1.12.1 to 3.3.0 #81

Merged
merged 1 commit into from
Apr 23, 2021
Merged

[Security] Bump next-auth from 1.12.1 to 3.3.0 #81

merged 1 commit into from
Apr 23, 2021

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps next-auth from 1.12.1 to 3.3.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Token verification bug in next-auth

Impact

Implementations using the Prisma database adapter with the Email provider are impacted.

Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter (TypeORM) with the Email provider are not impacted. Implementations not using a database are not impacted.

Patches

This issue is fixed in 3.3.0 and newer versions.

Workarounds

Those not able to upgrade can alternatively disable the Email provider as a workaround.

Description

The Prisma database adapter was checking the verification token but not the identifier (the email address associated with the token). This made it possible to use a valid token assigned to one user, to sign in as another user when using the Prima adapter in conjunction with the Email provider. The defect is specific to the community-supported Prisma database adapter in versions <3.3.0 and is not present in the default database adapter (TypeORM).

... (truncated)

Affected versions: < 3.3.0

Release notes

Sourced from next-auth's releases.

v3.3.0

Features

  • provider: update session when signIn/signOut successful (#1267) (f4269f7)
  • provider: add EVE Online provider (#1227) (c387f32)
  • provider: option to disable client-side redirects (credentials) (#1219) (690f81e)
  • ts: preliminary work to support TypeScript in the future (#1223) (562bcf2)

Bug fixes

  • page: fix typo in error page (748e7b4)
  • provider: add verificationRequest flag to email signIn callback (#1258) (5ee84c5)
  • ui: use color text var for input color (#1260) (487906e)
  • provider: okta client authentication (#1257) (cb6f787)
  • provider: Fixes for email sign in (#1285) (c5bb0ac)

Documentation

  • provider: Update Atlassian docs (#1255) (c7f1923)
  • clarify custom pages usage [skip release] (#1239) (afb5082)
  • provider: Update azure-ad-b2c.md [skip release] (#1280) (cfc6648)
  • adapter: Update Prisma docs [skip release] (#1279) (#1283) (8121f72)
  • adapter: Update Prisma docs (#1279) (6af40e3)
  • Change "docs" to "documentation" (69cc6bf)
  • Minor text error fixed [skip release] (#1263) (15e9d9e)

v3.3.0-canary.11

3.3.0-canary.11 (2021-02-09)

Documentation

v3.3.0-canary.10

3.3.0-canary.10 (2021-02-09)

Bug Fixes

Documentation

v3.3.0-canary.9

3.3.0-canary.9 (2021-02-09)

Documentation

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will not automatically merge this PR because it includes a major update to a production dependency.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Apr 22, 2021
@jonfairbanks jonfairbanks merged commit b67ed16 into develop Apr 23, 2021
@dependabot-preview dependabot-preview bot deleted the dependabot/npm_and_yarn/develop/next-auth-3.3.0 branch April 23, 2021 19:06
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@jonfairbanks jonfairbanks

Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jonfairbanks