Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump cacheable-request and oidc-provider #229

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump cacheable-request and oidc-provider #229

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 11, 2023

Bumps cacheable-request to 10.2.7 and updates ancestor dependency oidc-provider. These dependencies need to be updated together.

Updates cacheable-request from 5.1.0 to 10.2.7

Release notes

Sourced from cacheable-request's releases.

v10.2.6

Fix for memory leak on Listeners

The listener was not being removed on response and just error but new handlers were being added causing a memory leak.

line 220 in src/index.ts was modified to remove the listener on response also 

			if (this.cache instanceof Keyv) {
				const cachek = this.cache;
				cachek.once('error', errorHandler);
				ee.on('error', () => cachek.removeListener('error', errorHandler));
				ee.on('response', () => cachek.removeListener('error', errorHandler));
			}

What's Changed

Full Changelog: https://github.com/jaredwray/cacheable-request/compare/v10.2.5...v10.2.6

v10.2.5

Types definition issue with http-cache-sematics as that type definition needs to be in dependencies. Thanks @​Maxim-Mazurok

What's Changed

Full Changelog: https://github.com/jaredwray/cacheable-request/compare/v10.2.4...v10.2.5

v10.2.4

Minor updates with one exception is that we removed @types/http-cache-semantics from the main dependencies as it does not look to be needed.

What's Changed

Full Changelog: https://github.com/jaredwray/cacheable-request/compare/v10.2.3...v10.2.4

v10.2.3 Maintenance Release

Upgrading core modules in the system such as keyv and also a minor fix to an uncaught exception that we were seeing referenced here: sindresorhus/got#1925

Additional update is moving normalize-url to 8.0.0 which after testing it looks to not affect anything but will post the release notes here: https://github.com/sindresorhus/normalize-url/releases/tag/v8.0.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jaredwray, a new releaser for cacheable-request since your current version.


Updates oidc-provider from 4.8.3 to 8.1.0

Release notes

Sourced from oidc-provider's releases.

v8.1.0

Features

  • mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

v8.0.0

⚠ BREAKING CHANGES

  • Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
  • The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
  • request_uri parameter is no longer supported at the Device Authorization Endpoint.
  • The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
  • PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
  • CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
  • Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
  • Completely removed v6.x way of setting access token formats.
  • expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
  • Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
  • Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
  • features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
  • id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
  • userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
  • introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
  • authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
  • The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
  • request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
  • httpOptions return property lookup was renamed to dnsLookup.
  • httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.
  • oidc-provider is now an ESM-only module, it must now be imported using the import declaration or the import() syntax, the Provider constructor is the module's default export, the errors and interactionPolicy exports are the package's named exports. There is no Provider named export.
  • httpOptions no longer defaults to using the npm module cacheable-lookup as its dnsLookup option. It defaults to node:dns module's lookup export instead.
  • PASETO Access Token format support was removed.
  • Removed support for Node.js 12.
  • Removed support for Node.js 14.
  • Removed support for Node.js 16.
  • Node.js LTS 18 (^18.12.0) is now required.
  • Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the ttl.AuthorizationCode configuration option.
  • Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the features.requestObjects.mode configuration option.
  • The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
  • The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
  • The client registration management update action now rotates registration access tokens by default. This can be reverted using the features.registrationManagement.rotateRegistrationAccessToken configuration option.
  • It is no longer possible to pass Bearer tokens using the access_token query string parameter. This can be reverted using the acceptQueryParamAccessTokens configuration option.
  • The tokenEndpointAuthMethods configuration method was renamed to clientAuthMethods.
  • The enabledJWA.tokenEndpointAuthSigningAlgValues configuration method was renamed to enabledJWA.clientAuthSigningAlgValues.
  • The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
  • The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.

Features

  • add UnmetAuthenticationRequirements error (3f6684a)
  • bump DPoP to draft-11 (917507f)

... (truncated)

Changelog

Sourced from oidc-provider's changelog.

8.1.0 (2023-01-23)

Features

  • mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

8.0.0 (2022-12-03)

⚠ BREAKING CHANGES

  • Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
  • The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
  • request_uri parameter is no longer supported at the Device Authorization Endpoint.
  • The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
  • PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
  • CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
  • Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
  • Completely removed v6.x way of setting access token formats.
  • expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
  • Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
  • Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
  • features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
  • id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
  • userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
  • introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
  • authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
  • The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
  • request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
  • httpOptions return property lookup was renamed to dnsLookup.
  • httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.
  • oidc-provider is now an ESM-only module, it must now be imported using the import declaration or the import() syntax, the Provider constructor is the module's default export, the errors and interactionPolicy exports are the package's named exports. There is no Provider named export.
  • httpOptions no longer defaults to using the npm module cacheable-lookup as its dnsLookup option. It defaults to node:dns module's lookup export instead.
  • PASETO Access Token format support was removed.
  • Removed support for Node.js 12.
  • Removed support for Node.js 14.
  • Removed support for Node.js 16.
  • Node.js LTS 18 (^18.12.0) is now required.
  • Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the ttl.AuthorizationCode configuration option.
  • Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the features.requestObjects.mode configuration option.
  • The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
  • The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
  • The client registration management update action now rotates registration access tokens by default. This can be reverted using the features.registrationManagement.rotateRegistrationAccessToken configuration option.
  • It is no longer possible to pass Bearer tokens using the access_token query string parameter. This can be reverted using the acceptQueryParamAccessTokens configuration option.
  • The tokenEndpointAuthMethods configuration method was renamed to clientAuthMethods.
  • The enabledJWA.tokenEndpointAuthSigningAlgValues configuration method was renamed to enabledJWA.clientAuthSigningAlgValues.
  • The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
  • The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.

... (truncated)

Commits
  • 897ed11 chore(release): 8.1.0
  • be3f47f feat: mTLS.getCertificate helper can return a X509Certificate object
  • 6e5abc4 refactor: remove engines entry, update runtime node version check
  • 646493d chore: cleanup certification/fapi/index.js
  • f78eaa7 chore: bump lockfile
  • 864cf94 refactor: cleanup use of checkPKCE
  • 67e208e chore: update dev deps
  • 5c880c1 example: fix typo in prisma types (#1214)
  • a785ab4 example: add prisma adapter (#1213)
  • 2a9890c chore: bump dev deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by panva, a new releaser for oidc-provider since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump cacheable-request and oidc-provider
975ac5e 
Bumps [cacheable-request](https://github.com/jaredwray/cacheable-request) to 10.2.7 and updates ancestor dependency [oidc-provider](https://github.com/panva/node-oidc-provider). These dependencies need to be updated together.


Updates `cacheable-request` from 5.1.0 to 10.2.7
- [Release notes](https://github.com/jaredwray/cacheable-request/releases)
- [Commits](https://github.com/jaredwray/cacheable-request/commits)

Updates `oidc-provider` from 4.8.3 to 8.1.0
- [Release notes](https://github.com/panva/node-oidc-provider/releases)
- [Changelog](https://github.com/panva/node-oidc-provider/blob/main/CHANGELOG.md)
- [Commits](panva/node-oidc-provider@v4.8.3...v8.1.0)

---
updated-dependencies:
- dependency-name: cacheable-request
  dependency-type: indirect
- dependency-name: oidc-provider
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants