cc70455
This commit was signed with the committer’s verified signature.
jankapunkt
Jan Küster
Attention! This release fixes a reported vulnerability in the PKCE workflow!
Read more here: GHSA-jhm7-29pj-4xvf
This affects all versions below 5.3.0.
What's Changed
PKCE fixes
- proper enforcement of parameter ABNF
- failed PKCE challenge revokes authorization code to prevent brute force
- challenge comparison using timing safe comparison
plainchallenges need explicit optionenablePlainPKCEto betruewhen creating a new server instance
Other improvements
- Expose options property on OAuth2Server class types by @wille in #378
- ci: bump node versions to minimum 20 by @jankapunkt in #383
- fix: pass proper arguments to createHash by @jankapunkt in #387
- Docs: vitepress by @jankapunkt in #388
Dependencies
- build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #364
- build(deps-dev): bump mocha from 11.7.1 to 11.7.2 by @dependabot[bot] in #366
- build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in #369
- build(deps-dev): bump mocha from 11.7.2 to 11.7.3 by @dependabot[bot] in #371
- build(deps-dev): bump mocha from 11.7.3 to 11.7.4 by @dependabot[bot] in #372
- build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #373
- build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in #374
- build(deps-dev): bump mocha from 11.7.4 to 11.7.5 by @dependabot[bot] in #375
- build(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in #380
- build(deps): bump glob from 10.4.5 to 10.5.0 by @dependabot[bot] in #381
- build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #382
- build(deps-dev): bump sinon from 21.0.0 to 21.0.1 by @dependabot[bot] in #385
- build(deps-dev): bump chai from 4.5.0 to 6.2.2 by @dependabot[bot] in #386
- build(deps): bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #392
- build(deps): bump actions/setup-node from 4 to 6 by @dependabot[bot] in #393
- build(deps): bump actions/configure-pages from 4 to 5 by @dependabot[bot] in #394
- build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #395
- build(deps-dev): bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #396
- build(deps-dev): bump vitepress from 2.0.0-alpha.15 to 2.0.0-alpha.16 by @dependabot[bot] in #401
- build(deps): bump minimatch by @dependabot[bot] in #407
- build(deps-dev): bump rollup from 4.54.0 to 4.59.0 by @dependabot[bot] in #408
- build(deps-dev): bump sinon from 21.0.1 to 21.0.3 by @dependabot[bot] in #413
- build(deps-dev): bump nyc from 17.1.0 to 18.0.0 by @dependabot[bot] in #406
- build(deps): bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #420
- build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @dependabot[bot] in #419
Full Changelog: v5.2.1...v5.3.0
Contributors
wille, jankapunkt, and dependabot