[Snyk] Upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.3.0

[edwardsph]

Snyk has created this PR to upgrade @inrupt/solid-client-authn-browser from 2.0.0 to 2.3.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 10 versions ahead of your current version.

• The recommended version was released on a month ago.

Release notes

Package name: @inrupt/solid-client-authn-browser

• 2.3.0 - 2024-11-14
  

  Deprecation notice

  • A new signature is introduced for getSessionFromStorage in this release. The legacy signature is
    deprecated, and could be removed with the next major release.

  // Deprecated signature
  const session = await getSessionFromStorage(
    sessionId,
    storage,
    onNewRefreshToken,
    refresh,
  );
  // Replacement signature
  const session = await getSessionFromStorage(sessionId, {
    storage,
    onNewRefreshToken,
    refresh,
  });

  Bugfix

  node

  • The session expiration date (session.info.expirationDate) is now correct when loading a Session from storage.

  Feature

  node

  • It is now possible to build a Session using getSessionFromStorage and not log it in
    using its refresh token. To do so, a new refresh optional flag has been introduced.
    It defaults to true, which makes this a non-breaking change. In addition, a new signature
    is introduced to make it easier to provide the optional arguments:
  // Legacy signature only specifying one optional argument
  const session = await getSessionFromStorage(
  sessionId,
  undefined,
  undefined,
  false,
  );

  // New signature
  const session = await getSessionFromStorage(sessionId, { refresh: false });

  Full Changelog: v2.2.7...v2.3.0

• 2.2.7 - 2024-10-30
  

  Bugfix

  node

  • The IdP logout no longer fails in Node if the session was restored from
    storage (using getSessionFromStorage), which is the typical way server-side
    sessions are retrieved.

  Full Changelog: v2.2.6...v2.2.7

• 2.2.6 - 2024-09-18
  

  node and browser

  • Repository URL in package.json updated to set the repository.type property to git. This intends at
    restoring the previous behavior of npm view @ inrupt/solid-client-authn repository.url, expected to return
    git+https://github.com/inrupt/solid-client-authn-js.git.

  Full Changelog: v2.2.5...v2.2.6

• 2.2.5 - 2024-09-16
  

  New Features

  • Node 22 is now supported

  Full Changelog: v2.2.4...v2.2.5

• 2.2.4 - 2024-06-24
  

  Bugfixes

  node and browser

  • The clientAppId property is now correctly set in the ISessionInfo objects returned by the handleIncomingRedirect function in ClientAuthentication and in the Session class.

  node

  • The keepAlive option (introduced in v2.2.0) is now correctly observed in a script using the Client Credentials flow (i.e. using a clientId and a clientSecret to log in). It previously was disregarded, and the Session always self-refreshed in the background

  Full Changelog: v2.2.3...v2.2.4

• 2.2.3 - 2024-06-20
  

  Bugfix

  node and browser

  • Fix parsing clientId from ID Token azp claim: the parsing of the ID Token payload was not correctly extracting the clientId from the azp claim. As a result, session.info.clientAppId was not being initialised upon successful login, which prevented the idp logout of the session from working as expected.

  Full Changelog: v2.2.2...v2.2.3

• 2.2.2 - 2024-06-18
  

  Bugfix

  node

  • Maintain token type in getSessionIdFromStorage: When loading a session from storage on the server
    (using getSessionIdFromStorage), the token type (i.e. DPoP-bound or not, referred to as Bearer) is
    now consistent with the token type initially associated with the session. Previously, regardless of
    the token type requested when logging the session in, the token type defaulted to DPoP when logging
    the session back in on load from storage, causing authentication issues.

  Full Changelog: v2.2.1...v2.2.2

• 2.2.1 - 2024-06-05
  

  Bugfix

  browser

  • Fix #3518: Prevent refresh token from being persisted in local storage.

  New Contributors

  • @ garciafdezpatricia made their first contribution in #3498

  Full Changelog: v2.2.0...v2.2.1

• 2.2.0 - 2024-05-03
  

  New Feature

  node

  • It is now possible to prevent a Session self-refreshing in NodeJS. To do so, a new
    parameter is added to the constructor: Session({ keepAlive: false }). This prevents
    the Session setting a callback to refresh the Access Token before it expires, which
    could cause a memory leak in the case of a server-side application with many users.
    It also avoids unnecessary requests being sent to the OpenID Provider.
• 2.1.0 - 2024-03-14
  

  New Feature

  node and browser

  • OpenID Providers with multiple JWK in their JWKS are now supported. Thanks to
    @ pavol-brunclik-compote for the original contribution.

  node

  • Authorization code flow for statically registered clients is now supported. Statically registered
    clients previously defaulted to the Client Credentials flow, it is no longer an assumption.

  Bugfix

  browser

  • Fix non-DPoP bound tokens support in browser: a bug in the handling of non-DPoP-bound tokens was
    preventing the auth code grant to complete, with a 401 to the OpenId Provider Token Endpoint
    observed on redirect after the user authenticated. It is now possible to do
    session.login({/*...*/, tokenType: "Bearer"}) and get a successful result.
• 2.0.0 - 2023-12-20

from @inrupt/solid-client-authn-browser GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
solid-ui-react	❌ Failed (Inspect)			Dec 17, 2024 8:37pm

[NSeydoux]

This project is deprecated.