Skip to content

chore(deps-dev): bump @node-oauth/oauth2-server and @node-oauth/express-oauth-server#1531

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-884089b7ed
Open

chore(deps-dev): bump @node-oauth/oauth2-server and @node-oauth/express-oauth-server#1531
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-884089b7ed

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps @node-oauth/oauth2-server and @node-oauth/express-oauth-server. These dependencies needed to be updated together.
Updates @node-oauth/oauth2-server from 4.3.3 to 5.3.0

Release notes

Sourced from @​node-oauth/oauth2-server's releases.

5.3.0

Attention! This release fixes a reported vulnerability in the PKCE workflow!

Read more here: GHSA-jhm7-29pj-4xvf

This affects all versions below 5.3.0.

What's Changed

PKCE fixes

  • proper enforcement of parameter ABNF
  • failed PKCE challenge revokes authorization code to prevent brute force
  • challenge comparison using timing safe comparison
  • plain challenges need explicit option enablePlainPKCE to be true when creating a new server instance

Other improvements

Dependencies

Full Changelog: node-oauth/node-oauth2-server@v5.2.1...v5.3.0

... (truncated)

Changelog

Sourced from @​node-oauth/oauth2-server's changelog.

Changelog

5.0.0

This release contains several breaking changes. Please carefully consult the documentation while updating.

  • removed bluebird and promisify-any
  • uses native Promises and async/await everywhere
  • drop support for Node 14 (EOL), setting Node 16 as engine in package.json
  • this is a breaking change, because it removes callback support for OAuthServer and your model implementation.
  • fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
  • fix scope validation bug
  • revoke code before validating redirect URI
  • improved Bearer token validation
  • validate scope as an array of strings (breaking change)
  • model support for retrieving user based on client
  • more tests added; test coverage improved

4.2.0

Fixed

  • fix(core): Bearer regular expression matching in authenticate handler #105
  • fix(request): set WWW-Authenticate header for invalid requests #96 oauthjs#646
  • fix(handler): deny access when body.allowed is 'false' (#94)
  • fix(handlers): skip varcheck for state when allowEmptyState #89 #93

Added

  • supported custom validateRedirectUri
  • feature: Supported state in case of denialMerge #99
  • Bearer regular expression matching in authenticate handler
  • docs: Update extension-grants.rst with example #92
  • feature(core): extract is.js into standalone package @​node-oauth/formats #55
  • feature(authorize): allow custom implementations of validateRedirectUri via model #89 p.4
    • support custom validateRedirectUri()
    • allow to implement model.validateRedirectUri
    • updated AuthorizeHandler
    • default conforms with RFC 6819 Section-5.2.3.5

Tests

  • Integration test password grant (#100)
    • test example
    • created db & model factories
    • added refresh_token grant type test
    • removed failing test, not implemented feature
    • add reference to issue
    • client authentication test
    • random client credentials in test
    • replace math.random by crypto.randomBytes

... (truncated)

Commits
  • cc70455 fix(deps): update package-lock after bumping package version
  • ef467c9 Merge commit from fork
  • 8a35509 publish 5.3.0
  • fe22982 fix: always perform timing safe euqal check on PKCE challenge
  • e2fcac4 fix: cover thrown errors in PKCE tests
  • 2d0659f fix: multiple PKCE vulnerabilities addressed
  • 79b7cf5 Merge pull request #419 from node-oauth/dependabot/npm_and_yarn/handlebars-4.7.9
  • a9c6028 Merge pull request #420 from node-oauth/dependabot/github_actions/actions/con...
  • 8b54e5b build(deps): bump actions/configure-pages from 5 to 6
  • ba80c3b build(deps-dev): bump handlebars from 4.7.8 to 4.7.9
  • Additional commits viewable in compare view

Updates @node-oauth/express-oauth-server from 3.0.1 to 4.1.5

Release notes

Sourced from @​node-oauth/express-oauth-server's releases.

4.1.5

What's Changed

Full Changelog: node-oauth/express-oauth-server@v4.1.4...v4.1.5

v4.1.4

What's Changed

Full Changelog: node-oauth/express-oauth-server@v4.1.3...v4.1.4

v4.1.3

What's Changed

Full Changelog: node-oauth/express-oauth-server@v4.1.2...v4.1.3

v4.1.2

What's Changed

Full Changelog: node-oauth/express-oauth-server@v4.1.1...v4.1.2

v4.1.1

This release was mostly to fix a vulnerability in body-parser dependency.

What's Changed

Full Changelog: node-oauth/express-oauth-server@v4.1.0...v4.1.1

v4.1.0

Installation

NPM Link: https://www.npmjs.com/package/@​node-oauth/express-oauth-server/v/4.1.0

</tr></table> 

... (truncated)

Changelog

Sourced from @​node-oauth/express-oauth-server's changelog.

Changelog

4.0.0

  • bump minimal node to 16
  • upgrade @​node-oauth/oauth2-server to 5.1.0
  • drop bluebird dependency
  • upgrade all deps / dev-deps
  • refactor all code to minimum es6
  • use native async/await

3.0.0

  • use @​node-oauth/oauth2-server
  • update all dependencies to latest
  • add code coverage to tests
  • add GitHub actions CI
  • replace jshint with eslint

These previous versions are from the forked oauthjs org. We did not publish them are related in any way to these publications.

2.0.0

  • Refactor for v3.0.0 of node-oauth2-server

1.0.0

  • Initial Release
Commits
  • 3b6a412 Merge pull request #42 from node-oauth/dependabot/npm_and_yarn/lodash-4.17.23
  • 290d12c build(deps-dev): bump lodash from 4.17.21 to 4.17.23
  • 19df589 Merge pull request #41 from node-oauth/alert-autofix-28
  • bf488c6 Potential fix for code scanning alert no. 28: Workflow does not contain permi...
  • 66d8c3e fix(deps): bump vulnerable dev deps
  • 17c9151 Merge pull request #40 from node-oauth/ci/upgrade-node-20
  • 4594721 ci: upgrade node versions and actions versions
  • 2020613 Merge pull request #37 from node-oauth/dependabot/npm_and_yarn/js-yaml-3.14.2
  • 2f0c3b2 Merge pull request #39 from node-oauth/dependabot/npm_and_yarn/express-5.2.0
  • 49528f6 build(deps-dev): bump express from 5.0.1 to 5.2.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…ss-oauth-server

Bumps [@node-oauth/oauth2-server](https://github.com/node-oauth/node-oauth2-server) and [@node-oauth/express-oauth-server](https://github.com/node-oauth/express-oauth-server). These dependencies needed to be updated together.

Updates `@node-oauth/oauth2-server` from 4.3.3 to 5.3.0
- [Release notes](https://github.com/node-oauth/node-oauth2-server/releases)
- [Changelog](https://github.com/node-oauth/node-oauth2-server/blob/master/CHANGELOG.md)
- [Commits](node-oauth/node-oauth2-server@v4.3.3...v5.3.0)

Updates `@node-oauth/express-oauth-server` from 3.0.1 to 4.1.5
- [Release notes](https://github.com/node-oauth/express-oauth-server/releases)
- [Changelog](https://github.com/node-oauth/express-oauth-server/blob/master/CHANGELOG.md)
- [Commits](node-oauth/express-oauth-server@v3.0.1...v4.1.5)

---
updated-dependencies:
- dependency-name: "@node-oauth/oauth2-server"
  dependency-version: 5.3.0
  dependency-type: direct:development
- dependency-name: "@node-oauth/express-oauth-server"
  dependency-version: 4.1.5
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 15, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 15, 2026
@danielpeintner

Copy link
Copy Markdown
Member

Failing with
Exception during run: SyntaxError[ @/home/runner/work/node-wot/node-wot/packages/binding-http/test/http-client-oauth-tests.ts ]: Invalid or unexpected token

see https://github.com/eclipse-thingweb/node-wot/actions/runs/29413890435/job/87347155881?pr=1531#step:9:231

It is similar to what we had in #1377 (comment) and was fixed with #1418

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant