fix(IDS-7281): bump axios 1.16.1, @hapi/content 6.0.2 and fast-xml-parser#444
fix(IDS-7281): bump axios 1.16.1, @hapi/content 6.0.2 and fast-xml-parser#444hamzabenali-okta wants to merge 1 commit into
Conversation
hamzabenali-okta
changed the title
hamzabenali-okta
changed the title
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/in/977730?s=60&v=4){kind=small}
| "node": ">=18.0.0" | ||
| } | ||
| }, | ||
| "node_modules/@aws-sdk/core/node_modules/fast-xml-parser": { |
There was a problem hiding this comment.
Risk: Affected versions of fast-xml-parser are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'). The replaceEntitiesValue() function processes numeric character references (&#NNN; and &#xHH;) through a separate code path that has no expansion limit tracking, allowing an attacker to bypass all configured processEntities limits by supplying XML with a large number of numeric entity references, causing excessive memory consumption and CPU usage.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using fxparser on the CLI
Fix: Upgrade this library to at least version 4.5.5 at auth0-authorization-extension/package-lock.json:475.
Reference(s): GHSA-8gc5-j5rx-235r, CVE-2026-33036
⭐ Fixed in commit ad95203 ⭐
| "node": ">=18.0.0" | ||
| } | ||
| }, | ||
| "node_modules/@aws-sdk/core/node_modules/fast-xml-parser": { |
There was a problem hiding this comment.
Risk: Affected versions of fast-xml-parser are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'). fast-xml-parser can be denial-of-service'd via uncontrolled XML entity expansion: a crafted XML document with a DOCTYPE that defines a large plain-text entity and references it many times causes OrderedObjParser.replaceEntitiesValue() to repeatedly expand the entity without any limit on output size or replacement work, blocking the Node.js event loop and freezing the application while parsing untrusted XML (mitigate by disabling entity/DOCTYPE processing, e.g., processEntities: false).
Manual Review Advice: A vulnerability from this advisory is reachable if you are using fxparser on the CLI
Fix: Upgrade this library to at least version 4.5.4 at auth0-authorization-extension/package-lock.json:475.
Reference(s): GHSA-jmr7-xgp7-cmfj, CVE-2026-26278
🧁 Fixed in commit ad95203 🧁
| "node": ">=18.0.0" | ||
| } | ||
| }, | ||
| "node_modules/@aws-sdk/core/node_modules/fast-xml-parser": { |
There was a problem hiding this comment.
Risk: Affected versions of fast-xml-parser are vulnerable to Incorrect Regular Expression. fast-xml-parser is vulnerable to an entity-encoding bypass when parsing untrusted XML with DOCTYPE entities enabled (the default processEntities: true): attacker-controlled DOCTYPE entity names are interpolated into RegExp() without escaping . (dot), so a name like l. becomes a wildcard regex that shadows built-in entities such as <, >, &, ", and ', allowing arbitrary replacement text and leading to XSS (or other injection) when the parsed output is later rendered or used in an injection-sensitive context.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using fxparser on the CLI
Fix: Upgrade this library to at least version 4.5.4 at auth0-authorization-extension/package-lock.json:475.
Reference(s): GHSA-m7jm-9gc2-mpf2, CVE-2026-25896
🍰 Fixed in commit ad95203 🍰
axios ships in the extension's client bundle, so this lockfile bump is a genuine fix that clears SEC-29850. All deps resolved from a0us.jfrog.io. @hapi/content and fast-xml-parser are transitive deps of verquire externals (@hapi/hapi, @aws-sdk/client-s3) with no runtime effect here, so their override "fix" was cosmetic and is dropped. The real remediation is tracked in IDS-7307 (webtask-monorepo). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
hamzabenali-okta
force-pushed
the
IDS-7281
branch
from
2ee37d5 to
ad95203
Compare
1 participant
✏️ Changes
Three Snyk-flagged vulnerable dependencies have been bumped to non-vulnerable versions:
1.16.1(was^1.15.0) — direct dependency used in the React client bundle. Fixes a Snyk CVE.6.0.2viaoverrides(transitive via@hapi/hapi ^6.0.0) — clears the Snyk lockfile finding.5.8.0viaoverrides(transitive via@aws-sdk/core, which had an exact pin on4.4.1) — clears the Snyk lockfile finding. This is a major version bump; all S3 storage tests pass.The extension version is bumped
2.13.3 → 2.13.4and thedist/artifacts have been rebuilt accordingly.📷 Screenshots
No visual changes — this is a dependency-only update.
🔗 References
🎯 Testing
npm test— 523 unit tests passing, includings3-storage-context.tests.jsandstorageprovider.tests.jswhich cover the fast-xml-parser 5.x risk surface via the AWS S3 path.✅ This change has unit test coverage
🚫 This change has integration test coverage — not applicable for a dependency bump
🚫 This change has been tested for performance — not expected to affect performance; axios is used only in client-side actions
🚀 Deployment
✅ This can be deployed any time
🎡 Rollout
In order to verify that the deployment was successful we will confirm the updated extension loads correctly in the Auth0 Dashboard and that authorization rules continue to evaluate as expected.
🔥 Rollback
We will rollback if the extension fails to load or if authorization rule evaluation regresses after deployment.
📄 Procedure
Redeploy the previous
dist/auth0-authz.extension.2.13.3.jsartifact via theRelease Prodworkflow targeting the prior version tag.🖥 Appliance
Note to reviewers: dependency-only update, no behavior changes. The
@aws-sdk/client-s3and@hapi/hapiexternals remain at their existing pinned versions and are unaffected.