Skip to content

npm: bump @auth0/auth0-react from 1.2.0 to 2.4.0#67

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/auth0/auth0-react-2.4.0
Open

npm: bump @auth0/auth0-react from 1.2.0 to 2.4.0#67
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/auth0/auth0-react-2.4.0

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Aug 25, 2025
edited
Loading

Bumps @auth0/auth0-react from 1.2.0 to 2.4.0.

Release notes

Sourced from @​auth0/auth0-react's releases.

v2.4.0

Added

Fixed

v2.3.0

What's Changed

... (truncated)

Changelog

Sourced from @​auth0/auth0-react's changelog.

v2.4.0 (2025-07-22)

Full Changelog

Added

Fixed

v2.3.0 (2025-01-21)

Full Changelog

Added

Changed

Fixed

Removed

Security

v2.2.4 (2023-12-11)

Full Changelog

Changed

... (truncated)

Commits
  • 64c0fb2 Release v2.4.0 (#865)
  • 7e0583a Bump @​typescript-eslint/eslint-plugin from 8.36.0 to 8.37.0 (#862)
  • 43825e3 Bump @​auth0/auth0-spa-js from 2.2.0 to 2.3.0 (#858)
  • ff74518 feat: Upgrade core dependencies and regenerate documentation (#856)
  • 4630a16 fix/cypress (#857)
  • 9a10c78 Add Skip the Auth0 login page to FAQ (#815)
  • 93aa7d6 Enhance type safety in Auth0Provider and reducer by introducing generic user ...
  • 44477f8 refactor: streamline dependency installation by removing artifact restoration...
  • 1644bb5 Release v2.3.0 (#828)
  • 2a18f94 Release v2.3.0
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by auth0-oss, a new releaser for @​auth0/auth0-react since your current version.


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
npm: bump @auth0/auth0-react from 1.2.0 to 2.4.0
4b540e4 
Bumps [@auth0/auth0-react](https://github.com/auth0/auth0-react) from 1.2.0 to 2.4.0.
- [Release notes](https://github.com/auth0/auth0-react/releases)
- [Changelog](https://github.com/auth0/auth0-react/blob/main/CHANGELOG.md)
- [Commits](auth0/auth0-react@v1.2.0...v2.4.0)

---
updated-dependencies:
- dependency-name: "@auth0/auth0-react"
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 25, 2025
@netlify
Copy link

netlify bot commented Aug 25, 2025

Deploy Preview for stoic-agnesi-f48178 failed.

Name Link
🔨 Latest commit 4b540e4
🔍 Latest deploy log https://app.netlify.com/projects/stoic-agnesi-f48178/deploys/68acdb244dbcf20008033e34

@dependabot dependabot bot mentioned this pull request Aug 25, 2025
Closed
@fossabot
Copy link

fossabot bot commented Aug 25, 2025
edited
Loading

Dependency Change Summary

@auth0/auth0-react (1.2.0 → 2.4.0)

⚠️ Important Changes

Updated dependencies to resolve false positive CVE-2022-23529 vulnerability detection in build tools, while the underlying @auth0/auth0-spa-js library was never actually vulnerable. Added deprecated support for redirectUri parameter and updated CI configuration to use pull_request instead of pull_request_target.

View raw changes (2 breaking, 5 security, 1 deprecations)
  • release notes (vv2.3.0): ci: changed pull_request_target to pull_request and removed the authorize step by @desusai7 in ci: changed pull_request_target to pull_request and removed the authorize step auth0/auth0-react#796
  • release notes (vv2.0.0-beta.0): Multiple notable modifications compared to the previous major version
  • release notes (vv2.0.0-beta.0): [x] All active GitHub checks for tests, formatting, and security are passing
  • release notes (vv1.12.1): Updated to resolve jsonwebtoken vulnerability detection in tooling
  • release notes (vv1.12.1): Released version update to address false positive CVE vulnerability detection by build tools
  • release notes (vv1.12.1): Clarified that the underlying library @auth0/auth0-spa-js was not actually vulnerable to CVE-2022-23529
  • release notes (vv1.12.1): Updated to mitigate build tool reporting of vulnerability in SDKs using @auth0/auth0-spa-js
  • release notes (vv2.0.1): Support redirectUri again in a deprecated way #507 (frederikprijck)

📦 Other Updates

This major update adds core authentication functionality including the useAuth0 hook and Auth0Provider component for managing login/logout state and user profiles. The update also adds React 19 support, fast refresh compatibility, and improved TypeScript definitions for better developer experience.

View all changes (28 features, 16 fixes, 86 other)
  • release notes (vv2.4.0): Added ability to return a bullet-point list of distinct changes
  • release notes (vv2.3.0): Update codeowner file with new GitHub team name by @stevenwong-okta in Update codeowner file with new GitHub team name auth0/auth0-react#790
  • release notes (vv2.3.0): Add ReversingLabs Workflow (Don't Merge) by @developerkunal in Add ReversingLabs Workflow (Don't Merge) auth0/auth0-react#782
  • release notes (vv2.3.0): Feature/react19 by @tusharpandey13 in Feature/react19 auth0/auth0-react#824
  • release notes (vv2.2.2): Added additional type safety in TypeScript definitions
  • release notes (vv2.1.0): Adding onBeforeAuthentication to the withAuthenticationRequired HOC #534 (stephenkelzer)
  • release notes (vv2.0.0): Significant changes introduced in version 2 compared to version 1 of @auth0/auth0-react
  • release notes (vv2.0.0-beta.0): [x] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • release notes (vv1.12.0): Added ability to automatically preserve the URL that the user was trying to access before being redirected to login when using loginWithRedirect()
  • release notes (vv1.11.0): No changes are specified in the provided paragraph. The paragraph contains only the header "Added" without any detailed changes listed.
  • release notes (vv1.9.0): Added new functionality to the @auth0/auth0-react library (no specific details provided in the given paragraph)
  • release notes (vv1.9.0): Add connection property to Auth0ProviderOptions #283 (stevehobbsdev)
  • release notes (vv1.8.0): Added functionality that was referenced, but no specific details were provided in the given paragraph
  • release notes (vv1.7.0): No changes were specified in the provided paragraph. The paragraph only contains "Added" without any further details about specific changes.
  • release notes (vv1.6.0): Added (currently no specific details are provided about what was added)
  • release notes (vv1.5.0): Added new functionality to the library (specific details not provided in the paragraph)
  • release notes (vv1.5.0): Add TUser type param to useAuth0 hook #230 (Jameskmonger)
  • release notes (vv1.4.0): Update SPA JS, add organizations docs and example #211 (adamjmcgrath)
  • release notes (vv1.3.0): Added buildAuthorizeUrl and buildLogoutUrl #190 (THISS)
  • release notes (vv1.3.0): Specified new minimum required Node.js version (specific version not provided in the original text)

Dependency Usage Analysis

The @auth0/auth0-react package provides the primary authentication system for this application through an Auth0Provider that wraps the entire app and the useAuth0() hook used across 6+ components. The implementation includes route protection with withAuthenticationRequired(), secure API communication via getAccessTokenSilently(), and integration with Aserto for role-based access control, creating a comprehensive authentication and authorization architecture.

Usage Locations

@auth0/auth0-react - 8 usages across 8 files:

  • src/views/Profile.js:6: This code is importing and using Auth0 authentication hooks to protect the Profile component, ensuring that only authenticated users can access the page and providing user authentication state and methods through the useAuth0 hook.
  • src/App.js:4: This code is importing the useAuth0 hook from the @auth0/auth0-react library, which provides authentication-related functionality for integrating Auth0 authentication into a React application.
  • src/components/NavBar.js:12: The code is importing the useAuth0 hook from the '@auth0/auth0-react' library, which provides authentication-related functionality for integrating Auth0 authentication into a React application.
  • src/components/UserDetails.js:4: Based on the context, this code is importing and likely using the useAuth0 hook from @auth0/auth0-react to handle authentication-related functionality in the UserDetails component, such as accessing user authentication state or methods.
  • src/utils/users.js:2: Based on the partial code snippet, it appears that the code is importing the useAuth0 hook from the @auth0/auth0-react library, which likely provides authentication-related functionality such as user login status, user profile information, and authentication methods for a React application using Auth0 as the authentication provider.
  • src/views/UserView.js:4: This code is importing the useAuth0 hook from the @auth0/auth0-react library, which provides authentication-related functionality for integrating Auth0 authentication into a React application.
  • src/views/Users.js:3: The code is using the withAuthenticationRequired Higher Order Component from @auth0/auth0-react to protect a React component, ensuring that only authenticated users can access the Users view/page.
  • src/index.js:5: The code is importing the Auth0Provider from @auth0/auth0-react, which is likely being used to wrap the main App component to enable authentication and authorization functionality using Auth0's authentication service.

Key Usage Patterns

@auth0/auth0-react in src/views/Profile.js:

import { useAuth0, withAuthenticationRequired } from '@auth0/auth0-react';

// Using useAuth0 (function)
// Using withAuthenticationRequired (function)

// Context:
import Highlight from '../components/Highlight'
import Loading from '../components/Loading'
import { useAuth0, withAuthenticationRequired } from '@auth0/auth0-react'

export const ProfileComponent = () => {

This code is importing and using Auth0 authentication hooks to protect the Profile component, ensuring that only authenticated users can access the page and providing user authentication state and methods through the useAuth0 hook.

@auth0/auth0-react in src/components/NavBar.js:

import { useAuth0 } from '@auth0/auth0-react';

// Using useAuth0 (function)

// Context:
} from 'react-bootstrap'

import { useAuth0 } from '@auth0/auth0-react'
import { useAserto } from '@aserto/aserto-react'
import { useUsers } from '../utils/users'

The code is importing the useAuth0 hook from the '@auth0/auth0-react' library, which provides authentication-related functionality for integrating Auth0 authentication into a React application.

Impact Assessment - Action Required

This impact assessment identifies critical breaking changes in the @auth0/auth0-react major version upgrade affecting 20 files across the application. Manual intervention is required to migrate authentication parameters to authorizationParams/logoutParams, remove deprecated claimCheck usage from withAuthenticationRequired, and replace removed methods like buildAuthorizeUrl/buildLogoutUrl. All authentication flows must be thoroughly tested after implementing the migration guide changes before deployment.

Example Impact

@auth0/auth0-react 1.2.0 → 2.4.0

src/views/Profile.js:6
Major version breaking changes - Multiple notable modifications compared to the previous major version including removal of polyfills, introduction of authorizationParams/logoutParams, removal of buildAuthorizeUrl/buildLogoutUrl, and other API changes

Fix: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly

Top Impacted Locations

  • 🔴 src/views/Profile.js:6: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/App.js:4: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/components/NavBar.js:12: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/components/UserDetails.js:4: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/utils/users.js:2: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/views/UserView.js:4: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/views/Users.js:3: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🔴 src/index.js:5: Review the migration guide thoroughly (https://github.com/auth0/auth0-react/blob/master/MIGRATION_GUIDE.md) and update code according to the breaking changes. Key changes include: use authorizationParams instead of deprecated properties, replace buildAuthorizeUrl/buildLogoutUrl with new methods, update logout calls to use openUrl instead of localOnly
  • 🟡 src/views/Profile.js:6: Remove any usage of claimCheck property from withAuthenticationRequired calls and implement custom claim validation logic if needed using the user object from useAuth0
  • 🟡 src/views/Users.js:3: Remove any usage of claimCheck property from withAuthenticationRequired calls and implement custom claim validation logic if needed using the user object from useAuth0
10 more locations
  • 🟢 src/views/Profile.js:6: Breaking change: CI workflow changes
  • 🟢 src/App.js:4: Breaking change: CI workflow changes
  • 🟢 src/components/NavBar.js:12: Breaking change: CI workflow changes
  • 🟢 src/components/UserDetails.js:4: Breaking change: CI workflow changes
  • 🟢 src/utils/users.js:2: Breaking change: CI workflow changes
  • 🟢 src/views/UserView.js:4: Breaking change: CI workflow changes
  • 🟢 src/views/Users.js:3: Breaking change: CI workflow changes
  • 🟢 src/index.js:5: Breaking change: CI workflow changes
  • 🟢 src/views/Profile.js:6: Authentication handling fixes - Fixed
  • 🟢 src/views/Users.js:3: Authentication handling fixes - Fixed

This comprehensive analysis uses AI to examine dependency changes, understand usage patterns, and assess the impact on your codebase.

@deepsource-io
Copy link
Contributor

deepsource-io bot commented Aug 25, 2025

Here's the code health analysis summary for commits 6cefd48..4b540e4. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ SuccessView Check ↗
💡 If you’re a repository administrator, you can configure the quality gates from the settings.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 25, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants