Security Updates for v3

[tstackhouse]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

vm2, which is a transitive dependency of this library is deprecated due to security issues, and I am unable to upgrade to 4.x of this library in the short term due to other libraries blocking my upgrade path. Are there any forthcoming updates to the 3.x line of this library that will address security issues?

Reproduction

n/a

Additional context

No response

node-auth0 version

3.7.2

Node.js version

16.20.1

[bdukes]

Similarly, we're using auth0-deploy-cli which depends on v3 of this library, and just started getting an error due to this library's dependency on rest-facade. It looks like superagent has a PR to update its dependency on formidable, though it's unclear when that might flow through the whole dependency chain.

# npm audit report

formidable  <3.2.4
Severity: critical
Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c
No fix available
node_modules/formidable
  superagent  >=0.4.0
  Depends on vulnerable versions of formidable
  node_modules/superagent
    rest-facade  *
    Depends on vulnerable versions of superagent
    node_modules/rest-facade
      auth0  2.0.0-alpha.3 - 3.7.2
      Depends on vulnerable versions of rest-facade
      node_modules/auth0
        auth0-deploy-cli  *
        Depends on vulnerable versions of auth0
        node_modules/auth0-deploy-cli

5 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[Narretz]

@bdukes this specific security vulnerability has been withdrawn: GHSA-8cp3-66vr-3r4c