-
-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migration to authjs 🚀 #673
Comments
Valid point regarding |
It makes perfect sense to wait for a release of |
Agreed! I can see that they already have alpha versions of Version 5 released. Have they added support for |
I am a bit concerned, see reports below. package.json
Audit Report: # npm audit report
next >=13.4.0 <14.1.1
Severity: high
Next.js Server-Side Request Forgery in Server Actions - https://github.com/advisories/GHSA-fr5h-rqp8-mj6g
fix available via `npm audit fix`
node_modules/next
next-auth <4.24.5
Severity: moderate
Possible user mocking that bypasses basic authentication - https://github.com/advisories/GHSA-v64w-49xw-qq89
fix available via `npm audit fix --force`
Will install @sidebase/nuxt-auth@0.6.7, which is a breaking change
node_modules/next-auth
@sidebase/nuxt-auth 0.3.0-alpha.1 - 0.4.0-alpha.6 || >=0.7.0-rc.0
Depends on vulnerable versions of next-auth
node_modules/@sidebase/nuxt-auth
3 vulnerabilities (2 moderate, 1 high) Why next ❯ npm why next
next@13.5.6 peer
node_modules/next
peer next@"^12.2.5 || ^13" from next-auth@4.21.1
node_modules/next-auth
next-auth@"4.21.1" from the root project
peer next-auth@"^4" from @next-auth/prisma-adapter@1.0.7
node_modules/@next-auth/prisma-adapter
@next-auth/prisma-adapter@"^1.0.7" from the root project
peer next-auth@"~4.21.1" from @sidebase/nuxt-auth@0.7.2
node_modules/@sidebase/nuxt-auth |
Primarily some missing security features, such as We have already investigated internally what is required for a migration and are slowly preparing our module for this in the future, however, due to the reasons mentioned above, we will not release a stable version of the authjs provider, until they do so as well!
If you delve into the actual report (GHSA-v64w-49xw-qq89), you'll see that the vulnerability only affects the default NextAuth middleware. One of the fixes they also mention is writing your own middleware that adds a check that was missing. See original statement from us here: #514 (comment) However, this middleware is never used inside our module, as we have our own custom Nuxt middleware. Therefore this vulnerability does not affect the module. If you have any additional questions feel free to raise them. 😊 |
Hello everyone 👋
The time has come: We are slowly moving forward to migrate NuxtAuth from using NextAuth under the hood to running the new authjs package!
This will come with numerous benefits, including:
This issue will track our current progress, issues and goals. We are currently beginning this migration, therefore more information will follow soon.
The text was updated successfully, but these errors were encountered: