Skip to content

chore(deps): bump oidc-provider from 7.14.1 to 8.2.1 in /dev/oidc-provider#212

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dev/oidc-provider/oidc-provider-8.2.1
Closed

chore(deps): bump oidc-provider from 7.14.1 to 8.2.1 in /dev/oidc-provider#212
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dev/oidc-provider/oidc-provider-8.2.1

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github May 8, 2023

Bumps oidc-provider from 7.14.1 to 8.2.1.

Release notes

Sourced from oidc-provider's releases.

v8.2.1

Fixes

  • ignore post_logout_redirect_uris when logout is disabled (#1221) (d7dd6cf)

v8.2.0

Features

  • add correlation identifier to interactions (#1218) (c072352)

v8.1.2

This release contains only code refactoring, dependency, or documentation updates. The release process now also uses provenance statements.

v8.1.1

This release contains only code refactoring, documentation, and dependency updates.

v8.1.0

Features

  • mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

v8.0.0

⚠ BREAKING CHANGES

  • Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
  • The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
  • request_uri parameter is no longer supported at the Device Authorization Endpoint.
  • The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
  • PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
  • CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
  • Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
  • Completely removed v6.x way of setting access token formats.
  • expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
  • Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
  • Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
  • features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
  • id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
  • userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
  • introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
  • authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
  • The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
  • request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
  • httpOptions return property lookup was renamed to dnsLookup.
  • httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.
  • oidc-provider is now an ESM-only module, it must now be imported using the import declaration or the import() syntax, the Provider constructor is the module's default export, the errors and interactionPolicy exports are the package's named exports. There is no Provider named export.
  • httpOptions no longer defaults to using the npm module cacheable-lookup as its dnsLookup option. It defaults to node:dns module's lookup export instead.
  • PASETO Access Token format support was removed.
  • Removed support for Node.js 12.
  • Removed support for Node.js 14.
  • Removed support for Node.js 16.

... (truncated)

Changelog

Sourced from oidc-provider's changelog.

8.2.1 (2023-05-06)

Fixes

  • ignore post_logout_redirect_uris when logout is disabled (#1221) (d7dd6cf)

8.2.0 (2023-04-24)

Features

  • add correlation identifier to interactions (#1218) (c072352)

8.1.2 (2023-04-21)

8.1.1 (2023-03-09)

8.1.0 (2023-01-23)

Features

  • mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

8.0.0 (2022-12-03)

⚠ BREAKING CHANGES

  • Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
  • The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
  • request_uri parameter is no longer supported at the Device Authorization Endpoint.
  • The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
  • PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
  • CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
  • Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
  • Completely removed v6.x way of setting access token formats.
  • expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
  • Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
  • Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
  • features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
  • id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
  • userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
  • introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
  • authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
  • The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
  • request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
  • httpOptions return property lookup was renamed to dnsLookup.
  • httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.

... (truncated)

Commits
  • ba4641a chore(release): 8.2.1
  • 7aaee64 chore: bump dev deps
  • d7dd6cf fix: ignore post_logout_redirect_uris when logout is disabled (#1221)
  • 095ca06 ci: auto-retry conformance tests
  • 00c5a83 chore: bump deps
  • 685d89a chore: bump deps
  • d234bdf chore(release): 8.2.0
  • bc5e7b0 chore: bump dev deps
  • c072352 feat: add correlation identifier to interactions (#1218)
  • 63c044d build: no need to npm i -g npm for provenance on lts/hydrogen
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump oidc-provider in /dev/oidc-provider
dfeef9d 
Bumps [oidc-provider](https://github.com/panva/node-oidc-provider) from 7.14.1 to 8.2.1.
- [Release notes](https://github.com/panva/node-oidc-provider/releases)
- [Changelog](https://github.com/panva/node-oidc-provider/blob/main/CHANGELOG.md)
- [Commits](panva/node-oidc-provider@v7.14.1...v8.2.1)

---
updated-dependencies:
- dependency-name: oidc-provider
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 8, 2023
@dependabot dependabot bot mentioned this pull request May 8, 2023
Closed
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Jun 5, 2023

Superseded by #218.

@dependabot dependabot bot closed this Jun 5, 2023
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/dev/oidc-provider/oidc-provider-8.2.1 branch June 5, 2023 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants