security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fdd1193 to
9e763d7
Compare
Contributor
|
@harekrishnarai |
9e763d7 to
eae4d64
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2629 +/- ##
=======================================
Coverage 42.54% 42.54%
=======================================
Files 120 120
Lines 3145 3145
Branches 337 337
=======================================
Hits 1338 1338
Misses 1713 1713
Partials 94 94 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
ankita10119
approved these changes
Jul 18, 2025
Contributor
ankita10119
left a comment
There was a problem hiding this comment.
I’ve verified the changes look clean and the CI builds/tests are passing, which is great.
Tested the build locally by linking with the auth0/react-sample app — no issues found.
I’ll include a summary of this security fix (SEC-2160) as part of the upcoming consolidated changelog.
ankita10119
approved these changes
Jul 20, 2025
ankita10119
added a commit
that referenced
this pull request
Jul 21, 2025
…0) (#2629) This PR resolves the security vulnerability SEC-2160 by removing the vulnerable `node-es-module-loader@0.3.8` dependency that was pulling in `core-js@2.6.12`. 1. **Removed vulnerable dependency**: Removed `node-es-module-loader@0.3.8` from devDependencies 2. **Updated lang-audit script**: Modified `scripts/lang-audit.js` to use native ES6 dynamic imports instead of the old module loader 3. **Leveraged existing infrastructure**: The script already uses the `esm` package, enabling native `import()` calls - ✅ Eliminates the operational risk from `core-js@2.6.12` - ✅ Maintains all existing functionality - ✅ All 68 test suites pass (401 tests total) - ✅ The `i18n:validate` script continues to work correctly - All existing tests pass - The i18n validation script functions correctly with 100% coverage - No breaking changes introduced This fix completely resolves the Socket security alert for `core-js@2.6.12` while maintaining backward compatibility. Co-authored-by: Ankita Tripathi <51994119+ankita10119@users.noreply.github.com>
|
@ankita10119 could you please cut a release with this sec fix? |
Contributor
@jcchavezs |
Merged
omarquazi-okta
added a commit
that referenced
this pull request
Aug 7, 2025
**Fixes** - Update old Twitter icon and name to "X" [\#2649](#2649) ([ omarquazi-okta](https://github.com/omarquazi-okta)) - Fix: social connection names not showing displayName correctly [\#2651](#2651) ([ omarquazi-okta](https://github.com/omarquazi-okta)) - Fix: Accessibility Issues [\#2624](#2624) ([ankita10119](https://github.com/ankita10119)) - security: Remove vulnerable node-es-module-loader dependency (SEC-2160) [\#2629](#2629) ([harekrishnarai](https://github.com/harekrishnarai))
ankita10119
added a commit
that referenced
this pull request
Sep 12, 2025
### Changed - Bump karma from 6.4.3 to 6.4.4 - Bump pbkdf2 from 3.1.2 to 3.1.3 - Bump validator from 13.15.0 to 13.15.15 - Bump sha.js from 2.4.11 to 2.4.12 - Bump cipher-base from 1.0.4 to 1.0.6 - Bump codecov/codecov-action from 5.4.3 to 5.5.1 - Bump puppeteer from 24.9.0 to 24.19.0 - Bump tmp from 0.2.3 to 0.2.5 - bump fsevents to latest(SEC- 2161) - Bump eslint-plugin-react from 7.34.1 to 7.37.5 - Bump @grpc/grpc-js and @google-cloud/translate ### Fixed - Fix: social connection names not showing displayName correctly [\#2651](#2651) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Update old Twitter icon and name to "X" [\#2649](#2649) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Fix issue 2546 - TypeError: Super expression must either be null or a function [\#2578](#2578) ([Hworden](https://github.com/Hworden)) - Fix: Accessibility Issues #2624 [\#2642](#2642) ([ankita10119](https://github.com/ankita10119)) - fix: Rename shop strategy [\#2641](#2641) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Fix release pipeline cdn [\#2628](#2628) ([developerkunal](https://github.com/developerkunal)) - Fix Release PIPELINE [\#2627](#2627) ([developerkunal](https://github.com/developerkunal)) - chore: update .gitignore and Makefile for Puppeteer cache and config directories [\#2626](#2626) ([developerkunal](https://github.com/developerkunal)) - Fix Makefile for Puppeteer cache support [\#2625](#2625) ([developerkunal](https://github.com/developerkunal)) ### Removed - chore(ci): Remove Semgrep GHA Workflow [\#2650](#2650) ([eduardoboronat-okta](https://github.com/eduardoboronat-okta)) ### Security - security: Remove vulnerable node-es-module-loader dependency (SEC-2160) [\#2629](#2629) ([harekrishnarai](https://github.com/harekrishnarai)) ### Testing <!-- Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. --> * [ ] This change adds unit test coverage * [ ] This change adds integration test coverage * [ ] This change has been tested on the latest version of the platform/language ### Checklist * [x] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) * [x] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) * [x] All code quality tools/guidelines have been run/followed * [x] All relevant assets have been compiled
ankita10119
added a commit
that referenced
this pull request
Sep 12, 2025
### Changed - Bump karma from 6.4.3 to 6.4.4 - Bump pbkdf2 from 3.1.2 to 3.1.3 - Bump validator from 13.15.0 to 13.15.15 - Bump sha.js from 2.4.11 to 2.4.12 - Bump cipher-base from 1.0.4 to 1.0.6 - Bump codecov/codecov-action from 5.4.3 to 5.5.1 - Bump puppeteer from 24.9.0 to 24.19.0 - Bump tmp from 0.2.3 to 0.2.5 - bump fsevents to latest(SEC- 2161) - Bump eslint-plugin-react from 7.34.1 to 7.37.5 - Bump @grpc/grpc-js and @google-cloud/translate ### Fixed - Fix: social connection names not showing displayName correctly [\#2651](#2651) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Update old Twitter icon and name to "X" [\#2649](#2649) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Fix issue 2546 - TypeError: Super expression must either be null or a function [\#2578](#2578) ([Hworden](https://github.com/Hworden)) - Fix: Accessibility Issues #2624 [\#2642](#2642) ([ankita10119](https://github.com/ankita10119)) - fix: Rename shop strategy [\#2641](#2641) ([omarquazi-okta](https://github.com/omarquazi-okta)) - Fix release pipeline cdn [\#2628](#2628) ([developerkunal](https://github.com/developerkunal)) - Fix Release PIPELINE [\#2627](#2627) ([developerkunal](https://github.com/developerkunal)) - chore: update .gitignore and Makefile for Puppeteer cache and config directories [\#2626](#2626) ([developerkunal](https://github.com/developerkunal)) - Fix Makefile for Puppeteer cache support [\#2625](#2625) ([developerkunal](https://github.com/developerkunal)) ### Removed - chore(ci): Remove Semgrep GHA Workflow [\#2650](#2650) ([eduardoboronat-okta](https://github.com/eduardoboronat-okta)) ### Security - security: Remove vulnerable node-es-module-loader dependency (SEC-2160) [\#2629](#2629) ([harekrishnarai](https://github.com/harekrishnarai)) ### Testing <!-- Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. --> * [ ] This change adds unit test coverage * [ ] This change adds integration test coverage * [ ] This change has been tested on the latest version of the platform/language ### Checklist * [x] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) * [x] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) * [x] All code quality tools/guidelines have been run/followed * [x] All relevant assets have been compiled
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR resolves the security vulnerability SEC-2160 by removing the vulnerable
node-es-module-loader@0.3.8dependency that was pulling incore-js@2.6.12.Changes Made
node-es-module-loader@0.3.8from devDependenciesscripts/lang-audit.jsto use native ES6 dynamic imports instead of the old module loaderesmpackage, enabling nativeimport()callsSecurity Impact
core-js@2.6.12i18n:validatescript continues to work correctlyTesting
This fix completely resolves the Socket security alert for
core-js@2.6.12while maintaining backward compatibility.