Security Vulnerability: Okta SDK v6.x Dependency Forces Use of Vulnerable Package

[kihonq]

Expected Behavior

The @roadiehq/catalog-backend-module-okta plugin should work with the latest secure version of @okta/okta-sdk-nodejs (v7.1.1+) without runtime errors, allowing users to avoid known security vulnerabilities.

Current Behavior

The plugin crashes with a TypeError: client.listUsers is not a function when used with @okta/okta-sdk-nodejs v7.x due to breaking API changes in the Okta SDK. This forces users to downgrade to the vulnerable v6.x SDK to maintain functionality.

Runtime Error:

TypeError: client.listUsers is not a function
    at OktaUserEntityProvider.run (/app/node_modules/@roadiehq/catalog-backend-module-okta/dist/providers/OktaUserEntityProvider.cjs.js:40:35)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

Security Issue:
Okta SDK v6.x contains a High Severity vulnerability:

✗ Prototype Pollution [High Severity] in njwt@1.2.0
  introduced by @okta/okta-sdk-nodejs@6.6.0 > njwt@1.2.0
  Snyk Security ID: SNYK-JS-NJWT-1070976

Steps to Reproduce

1. Install @roadiehq/catalog-backend-module-okta@1.2.1
2. Upgrade @okta/okta-sdk-nodejs to ^7.1.1 (the secure version)
3. Configure the Okta plugin in your Backstage backend
4. Start the application
5. Observe the runtime error when the plugin attempts to call client.listUsers()

Minimal reproduction:

// package.json dependencies
{
  "@roadiehq/catalog-backend-module-okta": "^1.2.1",
  "@okta/okta-sdk-nodejs": "^7.1.1"
}

Possible Solution

Update the plugin to support Okta SDK v7.x API changes:

API Changes Required:

• client.listUsers() → client.userApi.listUsers()
• client.listGroups() → client.groupApi.listGroups()
• Similar updates for other affected methods

Code locations that likely need updates:

• dist/providers/OktaUserEntityProvider.cjs.js:40
• Any other direct calls to Okta SDK methods on the client object

Dependencies:

• Update peerDependencies to support "@okta/okta-sdk-nodejs": "^7.1.1"

Context

This issue creates a security vs. functionality dilemma for Backstage users:

• Use v6.x SDK: Plugin works but application has High Severity vulnerability
• Use v7.x SDK: Application is secure but plugin crashes

We're trying to maintain a secure Backstage installation while using the Okta integration for user management. The current state forces us to choose between security and functionality.

Impact:

• Blocks security compliance for organizations using this plugin
• Prevents adoption of latest Okta SDK features and fixes
• Creates technical debt for teams maintaining Backstage instances

Your Environment

• @roadiehq/catalog-backend-module-okta version: ^1.2.1
• @okta/okta-sdk-nodejs version: ^7.1.1 (crashes) / ^6.6.0 (vulnerable but works)
• @backstage/backend-plugin-api version: ^1.3.1
• Node.js version: 22.14.0
• Operating System: macOS 15.5

[Xantier]

Thank you @kihonq,

Thanks for listing the steps to update into the issue as well. Would you be willing to open a pull request on this so we get this out immediately?

[kihonq]

Hi @Xantier, let me see if I can get this PR: okta/okta-sdk-nodejs#448 through first. If it does, it will just be a small patches for us.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.