Skip to content

auth0-lock depends on vulnerable versions of dompurify #2608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
4 tasks done
jacekkoziol opened this issue May 19, 2025 · 0 comments
Open
4 tasks done

auth0-lock depends on vulnerable versions of dompurify #2608

jacekkoziol opened this issue May 19, 2025 · 0 comments
Labels
bug This points to a verified bug in the code

Comments

@jacekkoziol
Copy link

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

# npm audit report

dompurify  <3.2.4
Severity: moderate
DOMPurify allows Cross-site Scripting (XSS) - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dompurify
  auth0-lock  >=11.30.1
  Depends on vulnerable versions of dompurify
  node_modules/auth0-lock

2 moderate severity vulnerabilities

Reproduction

  1. npm i auth0-lock
  2. npm audit

Additional context

No response

Lock version

13.0.0

Which browsers have you tested in?

Chrome
@jacekkoziol jacekkoziol added the bug This points to a verified bug in the code label May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This points to a verified bug in the code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jacekkoziol