auth0-js 9.26.1 using deprecated version of superagent 7.6.1 which contains references to polyfills.io - responsible for a recent supply chain attack #1447
Labels
bug
This points to a verified bug in the code
Checklist
Description
[email protected] has a dependency on superagent 7.6.1 which is deprecated. Superagent 7.6.1 contains a README.MD page which mentions about polyfills.io. polyfills.io has been recently linked to a supply chain attack, please see the links below:
https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know
You can also find more details on the below site with examples :
https://sansec.io/research/polyfill-supply-chain-attack
auth0-js should be updated to use latest superagent dependency version 9 and above.
Reproduction
npm install auth0-js
![image](https://private-user-images.githubusercontent.com/25811466/344539637-275b223a-c485-41aa-a652-7422129050f7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE4MjYxNzQsIm5iZiI6MTcyMTgyNTg3NCwicGF0aCI6Ii8yNTgxMTQ2Ni8zNDQ1Mzk2MzctMjc1YjIyM2EtYzQ4NS00MWFhLWE2NTItNzQyMjEyOTA1MGY3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjQlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI0VDEyNTc1NFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWRhOGNhZjhjYzdmZWI0NzFhOTE1M2I2ZWVhYmQzYThiMDU4OWYwZTg3ODI2ODg3YjM3YmI5YzFkOGE4ZjNlMWEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Vcg8J3Re9jWEJNwgajJ_tzgOA6j1yLFU-jtIrzkJmkI)
npm ls superagent
README.md
Additional context
We are installing auth0-js using npm and don't use scripts or cdn.
auth0-js version
9.26.1
Which browsers have you tested in?
Chrome
The text was updated successfully, but these errors were encountered: