Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency next-auth to v4.24.5 [security] #263

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 22, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next-auth (source) 4.0.2 -> 4.24.5 age adoption passing confidence
next-auth (source) 4.23.2 -> 4.24.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-24858

next-auth v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our migration guide).next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
    // Allows relative callback URLs
    if (url.startsWith("/")) return new URL(url, baseUrl).toString()
    // Allows callback URLs on the same origin
    else if (new URL(url).origin === baseUrl) return url
    return baseUrl
}

If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.

CVE-2022-29214

Impact

We found that this vulnerability is present when the developer is implementing an OAuth 1 provider (by extension, it means Twitter, which is the only built-in provider using OAuth 1), but upgrading is still recommended.

next-auth v3 users before version 3.29.3 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.3.3 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.3
  • v4 - 4.3.3

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3.)

Workarounds

If you are not able to upgrade for any reason, you can add the following configuration to your callbacks option:

// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
    // Allows relative callback URLs
    if (url.startsWith("/")) return `${baseUrl}${url}`
    // Allows callback URLs on the same origin
    else if (new URL(url).origin === baseUrl) return url
    return baseUrl
}

References

This vulnerability was discovered right after GHSA-f9wg-5f46-cjmw was published and is very similar in nature.

Read more about the callbacks.redirect option in the documentation: https://next-auth.js.org/configuration/callbacks#redirect-callback

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 April 20th, a response was sent out to the reporter 8 minutes after, and a patch was produced within a few days.

CVE-2022-31093

Impact

An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our API route handler timing out and logging in to fail. This has been remedied in the following releases:

next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.5.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.5
  • v4 - 4.5.0

You can do:

npm i next-auth@latest

or

yarn add next-auth@latest

or

pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Here is an example:

Before:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

export default NextAuth(/* your config */)

After:

// pages/api/auth/[...nextauth].js
import NextAuth from "next-auth"

function isValidHttpUrl(url) {
  try {
    return /^https?:/.test(url).protocol
  } catch {
    return false;
  }
}

export default async function handler(req, res) {
  if (
    req.query.callbackUrl &&
    !isValidHttpUrl(req.query.callbackUrl)
  ) {
   return res.status(500).send('');
  }
  
  return await NextAuth(req, res, /* your config */)
}

References

This vulnerability was discovered not long after GHSA-q2mx-j4x2-2h74 was published and is very similar in nature.

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: nextauthjs/next-auth@e498483

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 10th, a response was sent out to the reporter in less than 2 hours, and a patch was published within 3 hours.

CVE-2022-31127

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to balazs@email.com, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.8
  • v4 - 4.9.0

You can do:

npm i next-auth@latest

# or
yarn add next-auth@latest

#
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

CVE-2022-35924

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@&#8203;victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@&#8203;")
  // The part before "@&#8203;" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@&#8203;${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

CVE-2022-31186

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest

# or
yarn add next-auth@latest

# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs:

// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
  debug: process.env.NODE_ENV !== "production",
  logger: {
    error: (code, metadata) => {
      if (!(metadata instanceof Error) &&  metadata.provider) {
        // redact the provider secret here
        delete metadata.provider
        log.error(code, metadata)
      } else {
        log.error(code, metadata)
      }
    }
  },
}

References

Related documentation:

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

CVE-2023-27490

Impact

next-auth applications using OAuth provider versions before v4.20.1 are affected.

A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing the CSRF protection.

As an example, an attack can happen in the following scenario.

TL;DR: The attacker steals the victim's authenticated callback by intercepting and tampering with the authorization URL created by next-auth.

  1. The victim attempts to log in to the next-auth site. For example https://next-auth-example.vercel.app/
  2. next-auth sets the checks cookies according to how the OAuth provider is configured. In this case, state and pkce are set by default for the Google Provider.

Screen Shot 2023-03-03 at 09 54 26

  1. The attacker intercepts the returned authorization URL, strips away the OAuth check (nonce, state, pkce), and returns the URL without the check to the victim's browser. For example:
    From
    https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&state=state&code_challenge=code_challenge&code_challenge_method=S256&service=lso&o2v=2&flowName=GeneralOAuthFlow
    to
    https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=client_id&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fnext-auth-example.vercel.app%2Fapi%2Fauth%2Fcallback%2Fgoogle&service=lso&o2v=2&flowName=GeneralOAuthFlow.
    Notice the parameters state, code_challenge and code_verifier are removed from the victim's address bar.

  2. The victim attempts to log in using their OAuth account.

  3. The Authorization Server logs the victim in and calls back to the next-auth api/auth/callback/:providerIdendpoint.
    5.1. The attacker intercepts and logs this callback URL for later use.
    5.2. next-auth checks the callback call from OAuth Authorization Server (doesn't have checks) and compares the checks with the cookies set (has checks) at step 2. This check will fail, resulting in the victim isn't logged in. However, at this step, the Authorization Server has already accepted the victim's request to log in and generated/sent a code in the URL.

  4. The attacker now has an authorization URL with the code that the AS will exchange for valid access_token/id_token and can log in as the victim automatically. They can open a new browser window and paste in the URL logged at step 5.1 and log in as the victim.

Patches

We patched the vulnerability in next-auth v4.20.1
To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using Advanced Initialization, developers can manually check the callback request for state, pkce, and nonce against the provider configuration, and abort the sign-in process if there is a mismatch. Check out the source code for help.

References

CVE-2023-48309

Impact

next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected.

A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce).

Manually overriding the next-auth.session-token cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string).

This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.)

This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout).

Note: Regardless of the vulnerability, the existence of a NextAuth.js session state can provide simple authentication, but not authorization in your applications. For role-based access control, you can check out our guide.

Patches

We patched the vulnerability in next-auth v4.24.5. To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

Workarounds

Upgrading to latest is the recommended way to fix this issue. However, using a custom authorization callback for Middleware, developers can manually do a basic authentication:

// middleware.ts
import { withAuth } from "next-auth/middleware"

export default withAuth(/*your middleware function*/, {
  // checking the existence of any property - besides `value` which might be a random string - on the `token` object is sufficient to prevent this vulnerability
  callbacks: { authorized: ({ token }) => !!token?.email }
})

References


Release Notes

nextauthjs/next-auth (next-auth)

v4.24.5

Compare Source

Bugfixes

  • differentiate between issued JWTs

v4.24.4

Compare Source

Bugfixes

  • allow Next.js 14 as peer dependency

v4.24.3

Compare Source

Bugfixes
  • css build error

v4.24.2

Compare Source

Bugfixes
  • css build error

v4.24.1

Compare Source

Bugfixes
  • css build error

v4.24.0

Compare Source

Features

v4.23.2

Compare Source

Bugfixes

  • next: returns correct status for signing in with redirect: false for route handler (#​8775) (27b2519)
  • ts: fix typo (d813c00)
  • remove trailing ? from signIn URL (#​8466)

Other

  • update security policy link

v4.23.1

Compare Source

Bugfixes

  • ts: correctly expose next-auth/adapters (20c3fe3)
  • use default submodules export in package.json (#​8330)

v4.23.0

Compare Source

Features

  • providers: add Passage by 1Password (5a8aa2e)

Bugfixes

  • ts: correctly export submodule types (05ff6ae)
  • sort cookie chunks correctly (#​8284)

v4.22.5

Compare Source

Bugfixes

Other

  • docs: amplify note

v4.22.4

Compare Source

Bugfixes

Other

  • docs: fixing broken link in documentation (#​8208)
  • docs: clarify getServerSession
  • docs: move unstable_getServerSession
  • docs: Typo fixed (#​8206)
  • docs(providers): mention HTTP-based Email guide (#​8214)
  • docs: Update object key "email" to "username" (#​8113)
  • doc: Add a guide on sending magic links to existing users only (#​7663)
  • docs: Update refresh-token-rotation.md - fix example client code filename (#​8088)
  • docs(providers): updated docs with missing account attribute (#​8084)

v4.22.3

Compare Source

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.22.2...next-auth@4.22.3

v4.22.2

Compare Source

Bugfixes

Other

  • remove unused TS types
  • merge changes back to v4 (#​7430)
  • rephrase

v4.22.1

Bugfixes

  • detect origin when instanceof Request check fails (#​7303)

Other

v4.21.1

Compare Source

Bugfixes

v4.21.0

Compare Source

Features

  • make it possible to update the session (#​7056)

Bugfixes

Other

  • release with declaration maps
  • fix tests
  • correct ts import

v4.20.1

Compare Source

v4.20.0

Compare Source

v4.19.2

Compare Source

What's Changed

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.19.1...next-auth@4.19.2

v4.19.1

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.19.0...next-auth@4.19.1

v4.19.0

Compare Source

What's Changed

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.18.10...next-auth@4.19.0

v4.18.10

Compare Source

v4.18.9

Compare Source

v4.18.8

Compare Source

What's Changed

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@v4.18.7...next-auth@4.18.8

v4.18.7

Compare Source

Bugfixes

v4.18.6

Compare Source

Bugfixes

v4.18.5

Compare Source

Bugfixes

v4.18.4

Compare Source

Bugfixes

v4.18.3

Compare Source

Bugfixes

  • core: throw error if no action can be determined (157269e)
  • core: add protocol if missing (221bc8e)

Other

v4.18.2

Compare Source

Bugfixes

v4.18.1

Compare Source

Bugfixes

  • core: don't mutate authOptions in unstable_getServerSession (#​5973) (b19b2bc)

Other

v4.18.0

Compare Source

Features

  • core: make pkce and state maxAge configurable on the cookies (#​4719) (f277989)

Bugfixes

Other

v4.17.0

Compare Source

Features

Bugfixes

Other

  • fix signin btns svg URLs to 'main' (#​5826)

v4.16.4

Compare Source

Bugfixes

v4.16.3

Compare Source

Bugfixes

v4.16.2

Compare Source

Bugfixes

  • next: build RSC+unstable_getServerSession (180c625)

v4.16.1

Compare Source

v4.16.0

Features

  • next: allow unstable_getServerSession in Server Components (#​5741) (e90925b)

v4.15.1

Compare Source

Bugfixes

Other

  • update example to Next.js 13

v4.15.0

Compare Source

Features

Other

v4.14.0

Compare Source

Features

Bugfixes

Other

  • dev: improve DX (f38ee19)
  • fix TS lint

v4.13.0

Compare Source

Features

Bugfixes

Other

  • docs: update middleware documentation link (#​5492) (0a4b99d)
  • release: bump package version(s) [skip ci] (d6efda0)

v4.12.3

Compare Source

Bugfixes

Other

v4.12.2

Compare Source

Bugfixes

v4.12.1

Compare Source

Bugfixes

v4.12.0

Compare Source

Features

  • core: make session token with DB session strategy customizable (#​5328) (965c626)

Others

v4.11.0

Compare Source

Features

Bugfixes

  • middleware: use includes() for NextAuth pages (#​5104) (44f2a47)
  • providers: use client_secret_post token auth for LinkedIn (#​5236) (ba20974)
  • providers: convert Strava Provider to TS (#​5241) (f1d3bc2)
  • providers: Add appid param to Azure AD wellKnown URL (#​5138) (a03657e)
  • Change getToken parameter type to required (#​5245)
  • return null in unstable_getServerSession if there's an error (#​5218)
  • Use consistent error type between doc, logger and error class (#​5046)

Other

v4.10.3

Compare Source

Bugfixes

  • providers: add normalizeIdentifier to EmailProvider (afb1fcd)
  • ts: fix jsdoc link to documentation (#​5039) (a21db89)
  • avoid redirect on always public paths (#​5000)

v4.10.2

Compare Source

Bugfixes

v4.10.1

Compare Source

Bugfixes

Other

  • ts: explicitly set next path in next-auth (fb60554)
  • revert type assertion
  • add Thang to contributor (#​4944)
  • add TODO comment for next major version

v4.10.0

Compare Source

Features

Bugfixes


Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx April 22, 2022 21:41 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 960a11e to 911a43a Compare May 5, 2022 15:47
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx May 5, 2022 15:53 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 911a43a to 0aa410c Compare May 12, 2022 16:50
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx May 12, 2022 16:56 Inactive
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.3.2 [security] chore(deps): update dependency next-auth to 4.3.3 [security] May 24, 2022
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 0aa410c to ce0624c Compare May 24, 2022 23:56
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx May 25, 2022 00:01 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from ce0624c to 94fd608 Compare June 21, 2022 23:13
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.3.3 [security] chore(deps): update dependency next-auth to 4.5.0 [security] Jun 21, 2022
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx June 21, 2022 23:18 Inactive
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.5.0 [security] chore(deps): update dependency next-auth to 4.5.0 [SECURITY] Jun 27, 2022
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.5.0 [SECURITY] chore(deps): update dependency next-auth to 4.5.0 [security] Jun 28, 2022
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 94fd608 to f785d8e Compare July 6, 2022 21:11
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.5.0 [security] chore(deps): update dependency next-auth to 4.9.0 [security] Jul 6, 2022
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx July 6, 2022 21:17 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from f785d8e to 1e22b7d Compare August 2, 2022 20:05
@renovate renovate bot changed the title chore(deps): update dependency next-auth to 4.9.0 [security] chore(deps): update dependency next-auth to 4.10.3 [security] Aug 2, 2022
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx August 2, 2022 20:12 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 1e22b7d to d80a726 Compare October 28, 2022 16:03
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx October 28, 2022 16:09 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from d80a726 to 5f5c03e Compare January 17, 2023 11:15
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx January 17, 2023 11:43 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 5f5c03e to 3cb0d27 Compare January 17, 2023 20:36
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx January 17, 2023 20:42 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 3cb0d27 to 0c8bb8e Compare January 18, 2023 03:10
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx January 18, 2023 03:11 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 0c8bb8e to 2ca6410 Compare January 26, 2023 01:51
@github-actions github-actions bot temporarily deployed to enfants-du-spectacle-renovate-npm-next-auth-vulnerabili-5jywlx January 26, 2023 01:59 Inactive
@renovate renovate bot restored the renovate/npm-next-auth-vulnerability branch February 24, 2024 01:37
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 7234041 to 6034e30 Compare February 24, 2024 01:49
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 6034e30 to 67ab8f2 Compare February 25, 2024 10:52
Copy link

sonarcloud bot commented Apr 14, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 6b40551 to 3fd8a62 Compare June 4, 2024 12:56
Copy link

sonarcloud bot commented Jun 4, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Copy link

sonarcloud bot commented Sep 1, 2024

Copy link

sonarcloud bot commented Oct 9, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants