chore(deps): update dependency @auth0/auth0-spa-js to v2

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@auth0/auth0-spa-js	^1.6.0 → ^2.0.0

---

Release Notes

auth0/auth0-spa-js (@​auth0/auth0-spa-js)

v2.11.1

Compare Source

Full Changelog

Fixed

• fix: clear cache when different user logs in without logout #​1456 (yogeshchoudhary147)

v2.11.0

Compare Source

Full Changelog

Added

• feat: add organization parameter support to token exchange #​1477 (yogeshchoudhary147)

v2.10.0

Compare Source

Full Changelog

Added

• feat: Improve popup open error #​1292 (ArthurKnoep)

v2.9.1

Compare Source

Full Changelog

Added

• Export type for Custom Token Exchange support #​1461 (yogeshchoudhary147)

v2.9.0

Compare Source

Full Changelog

Added

• feat: add support scopes parameter for connected accounts #​1458 (guabu)

Security

• security: Upgrade component-cdn-uploader to v2.4.0 to address critical vulnerability of form-data package #​1454 (ankita10119)

v2.8.0

Compare Source

Full Changelog

Added

• feat: ensure to only lock for the same audience and client_id #​1408 (frederikprijck)
• Allow authorizationParameters.scope to accept an object #​1446 (aridibag)

Fixed

• fix: ensure to strip auth0Client #​1438 (frederikprijck)
• Avoid saving token when MissingRefreshTokenError is thrown #​1448 (aridibag)

v2.7.0

Compare Source

Full Changelog

Added

• Retry when DPoP nonce is expired #​1445 (adamjmcgrath)
• [ESD-52771] Support mix of DPoP and Bearer in the fetcher #​1442 (adamjmcgrath)

Fixed

• Fix MRRT with default audience in worker #​1439 (aridibag)
• Fetcher: fix incorrect URL building when baseUrl is present #​1435 (martinml)

v2.6.0

Compare Source

Full Changelog

Added

• Add support for connected accounts #​1422 (adamjmcgrath)

Fixed

• Fetcher should set DPoP nonce with nonce id #​1431 (adamjmcgrath)
• fix: do not mark setAuthorizationHeader as async #​1428 (frederikprijck)

v2.5.0

Compare Source

Full Changelog

Added

• Add Support for Multi-Resource Refresh Tokens (MRRT) #​1386 (aridibag)
• Make Fetcher to be Scope- and Audience-Aware #​1414 (frederikprijck)

v2.4.1

Compare Source

Full Changelog

Fixed

• fix: move runtime dependencies from devDependencies to dependencies #​1411 (gyaneshgouraw-okta)

v2.4.0

Compare Source

Full Changelog

Added

• Add HTTP fetcher for DPoP #​1400 (martinml)
• Add support for DPoP #​1388 (martinml)

v2.3.0

Compare Source

Full Changelog

Fixed

• Fix: Token Exchange Ignoring Scope and Audience Parameters #​1365 (tusharpandey13)
• bugfix: Correctly extract origin from domainUrl #​1372 (tusharpandey13)

v2.2.0

Compare Source

Full Changelog

Added

• Custom Token Exchange #​1344 (tusharpandey13)

v2.1.3

Compare Source

Full Changelog

Changed

• feat: support for hosted token worker #​1208 (DJMcK)

v2.1.2

Compare Source

Full Changelog

Fixed

• Ensure organization cookie is set when no organization was set #​1123 (frederikprijck)

v2.1.1

Compare Source

Full Changelog

Changed

• Do not lowercase org_name claim #​1117 (frederikprijck)

v2.1.0

Compare Source

Full Changelog

Added

• Support Organization Name #​1113 (frederikprijck)

Fixed

• Ensure AMR claim is set to an array of strings #​1112 (frederikprijck)

v2.0.8

Compare Source

Full Changelog

Changed

• Lazily retrieve transaction from transaction storage #​1108 (frederikprijck)

v2.0.7

Compare Source

Full Changelog

Changed

• Make TransactionManager use CookieDomain #​1105 (ZdravkoDonev-gtmhub)

v2.0.6

Compare Source

Full Changelog

Fixed

• Fix missing invalid state errors with Generic Error #​1102 (frederikprijck)

v2.0.5

Compare Source

Full Changelog

Changed

• distinguish between missing and invalid state #​1099 (frederikprijck)
• Allow sync openUrl #​1087 (adamjmcgrath)

v2.0.4

Compare Source

Full Changelog

Fixed

• Correctly expose missing_refresh_token error from worker #​1080 (frederikprijck)

v2.0.3

Compare Source

Full Changelog

Fixed

• Ensure cookieDomain is used when using legacy Cookiestorage #​1071 (frederikprijck)
• Ensure to only clear current client cache when logging out #​1068 (frederikprijck)

v2.0.2

Compare Source

Full Changelog

Security

• Bump jsonwebtoken to v9 #​1062 (dependabot)

This patch release is identical to 2.0.1 but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken being used.

Even though 2.0.1 was not vulnerable for the related CVE because of the fact that jsonwebtoken is a devDependency, we are cutting a release to ensure build tools no longer report our SDK as vulnerable to the mentioned CVE.

v2.0.1

Compare Source

Full Changelog

Changed

• Add openUrl and deprecate onRedirect #​1058 (frederikprijck)

Fixed

• Export MissingRefreshTokenError #​1043 (frederikprijck)

v2.0.0

Compare Source

Full Changelog

Auth0-SPA-JS v2 includes many significant changes compared to v1:

• Refactor module output and avoid default export #​942 (frederikprijck)
• Do not throw from checkSession #​943 (frederikprijck)
• Rework ignoreCache to cacheMode and introduce cache-only #​950 (ewanharris)
• Do not fallback to refreshing tokens via iframe method by default #​946 (ewanharris)
• Use form-encoded data by default #​945 (frederikprijck)
• Remove getIdTokenClaimsOptions type #​960 (ewanharris)
• Rename client_id to clientId #​956 (ewanharris)
• Remove polyfills from bundles #​951 (frederikprijck)
• Update output target to ES2017 #​953 (frederikprijck)
• Introduce authorizationParams to hold properties sent to Auth0 #​959 (ewanharris)
• Do not build Common JS module with externals #​971 (frederikprijck)
• De-dupe Id token; getUser and getIdTokenClaims no longer take any arguments #​967 (frederikprijck)
• Remove advancedOptions.defaultScope and replace with scope #​972 (ewanharris)
• Cache and return id token from memory #​975 (ewanharris)
• Remove buildAuthorizeUrl #​980 (frederikprijck)
• Make buildLogoutUrl internal #​982 (ewanharris)
• Fix spelling mistakes in id token validation messages #​940 (frederikprijck)

As with any major version bump, v2 of Auth0-SPA-JS contains a set of breaking changes. Please review the migration guide thoroughly to understand the changes required to migrate your application to v2.

v1.22.6

Compare Source

Security

• Bump jsonwebtoken to v9 #​1065 (frederikprijck)

This patch release is identical to 1.22.5 but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken being used.

Even though 1.22.5 was not vulnerable for the related CVE because of the fact that jsonwebtoken is a devDependency, we are cutting a release to ensure build tools no longer report our SDK as vulnerable to the mentioned CVE.

v1.22.5

Compare Source

Full Changelog

Fixed

• Ensure getTokenSilently works when mixing return types #​1016 (frederikprijck)

v1.22.4

Compare Source

Full Changelog

Fixed

• Release lock on pagehide #​974 (frederikprijck)

v1.22.3

Compare Source

Full Changelog

Changed

• feat(ClientStorage#remove):added support of cookieDomain #​935 (Dannnir)

Fixed

• Pin es-cookie to patch versions only #​965 (frederikprijck)

v1.22.2

Compare Source

Full Changelog

Changed

• Avoid sending unnecessary request parameters #​920 (frederikprijck)

v1.22.1

Compare Source

Full Changelog

Changed

• Stronger typing for screen_hint property #​912 (iAmWillShepherd)
• Add env to auth0Client userAgent #​913 (frederikprijck)

v1.22.0

Compare Source

Full Changelog

Added

• Silent auth fallback when using Refresh Tokens can now be disabled #​907 (frederikprijck)

Security

• [Snyk] Upgrade core-js 3.22.4 #​910 (crew-security)

v1.21.1

Compare Source

Full Changelog

Fixed

• Organization ID hint cookie now respects cookieDomain config setting #​900 (Dannnir)

Security

• [Snyk] Upgrade core-js from 3.21.1 to 3.22.0 #​901 (snyk-bot)
• [Snyk] Upgrade promise-polyfill from 8.2.1 to 8.2.3 #​893 (snyk-bot)

v1.21.0

Compare Source

Full Changelog

Added

• FEAT override cookie domain option #​885 (Soviut)

Fixed

• fix: handle NPE when no popup is available #​888 (stevehobbsdev)

v1.20.1

Compare Source

Full Changelog

Fixed

• Prevent cache.get when key is undefined #​882 (stevehobbsdev)

v1.20.0

Compare Source

Full Changelog

Added

• [SDK-3105] Add httpTimeoutInSeconds to control fetch timeout #​875 (stevehobbsdev)

Changed

• clarify documentation comment for getTokenSilently #​874 (jdugan1024)

Fixed

• Fix getTokenSilently reference in example code #​868 (mdlavin)

Security

• [Snyk] Upgrade core-js from 3.20.2 to 3.20.3 #​873 (snyk-bot)
• Bump node-fetch from 2.6.1 to 2.6.7 #​870 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.20.1 to 3.20.2 #​869 (snyk-bot)
• [Snyk] Upgrade core-js from 3.20.0 to 3.20.1 #​864 (snyk-bot)

v1.19.4

Compare Source

Full Changelog

Fixed

• Org ID hint cookie expiry now aligns with is.authenticated cookie #​861 (stevehobbsdev)

Security

• Bump follow-redirects from 1.14.0 to 1.14.7 #​860 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.19.2 to 3.20.0 #​858 (snyk-bot)
• [Snyk] Upgrade core-js from 3.19.1 to 3.19.2 #​851 (snyk-bot)

v1.19.3

Compare Source

Full Changelog

Changed

• Make RedirectLoginOptions and RedirectLoginResult accept generic AppState #​846 (frederikprijck)

Fixed

• Getidtokenclaims return type #​844 (jmac105)
• Add check for state in handleRedirectCallback #​841 (stevehobbsdev)
• Prevent nowProvider from being passed to authorize endpoint #​840 (stevehobbsdev)
• Fix cached scopes when using detailed response mode #​824 (stevehobbsdev)

v1.19.2

Compare Source

Full Changelog

This release fixes an anomoly with a new type we exposed in #​803, where it was incorrectly wrapped with Partial. We don't expect this change to introduce any issues, but if you are affected please raise it on our issue tracker.

Fixed

• GetTokenSilentlyVerboseResponse no longer uses partial TokenEndpointResponse type #​820 (stevehobbsdev)

v1.19.1

Compare Source

Full Changelog

Republished version 1.19.0, which got published during a period npm was suffering downtime issues, resulting in 1.19.0 being released but not installable for end users. Users should install 1.19.1 instead.

v1.19.0

Compare Source

Full Changelog

Added

• [SDK-2794] Return token response in getTokenSilently #​803 (stevehobbsdev)
• [SDK-2793] Ability to define a custom now provider #​802 (frederikprijck)

v1.18.0

Compare Source

Full Changelog

Added

• [SDK-2750] Expose mfa_token from the mfa_required error when getting new tokens #​789 (frederikprijck)

Changed

• [SDK-2759] Re-scoping cookies and transactions to client ID #​796 (stevehobbsdev)
• [SDK-2320] Throw login_required error in SPA SDK if running in a cross-origin is… #​790 (frederikprijck)

Fixed

• [SDK-2692] Remember organization ID for silent authentication #​788 (stevehobbsdev)

v1.17.1

Compare Source

Full Changelog

Fixed

• Correct cache interface #​779 (employee451)

v1.17.0

Compare Source

Full Changelog

Added

• Add useFormData to enable application/x-www-form-urlencoded requests #​768 (stevehobbsdev)

Changed

• Allow providing a domain that includes http or https. #​768 (stevehobbsdev)

v1.16.1

Compare Source

Full Changelog

Fixed

• Changes to logout and cache synchronicity #​758 (stevehobbsdev)

v1.16.0

Compare Source

Full Changelog

Added

• [SDK-2555] Extensible Cache #​743 (stevehobbsdev)

v1.15.0

Compare Source

Full Changelog

Added

• Add Popup cancelled event #​724 (degrammer)

Fixed

• Fix popup blocker showing for loginWithPopup in Firefox & Safari #​732 (stevehobbsdev)

v1.14.0

Compare Source

Full Changelog

Added

• feat(loginWithRedirect): add redirectMethod option #​717 (slaywell)
• Export errors for type checking #​716 (adamjmcgrath)

Changed

• Add screen_hint parameter to BaseLoginOptions #​721 (damieng)

Fixed

• Updated minor syntax, to allow for TypeScript compiler to be happier #​714 (kachihro)
• Revert [SDK-2183] Add warning when requested scopes differ from retrieved scopes #​712 (frederikprijck)

v1.13.6

Compare Source

Full Changelog

Changed

• Update docs for getIdTokenClaims and getUser #​690 (adamjmcgrath)
• [SDK-2238] Only use timeout promise when using fetchWithTimeout without a worker #​689 (frederikprijck)
• Do not use AbortController in the worker if not available #​679 (stevehobbsdev)
• Do not send useCookiesForTransactions to authorize request #​673 (frederikprijck)

Fixed

• Remove the nonce check in handleRedirectCallback #​678 (stevehobbsdev)

Security

• Update wait-on to solve security vulnerability #​687 (frederikprijck)
• [Security] Bump ini from 1.3.5 to 1.3.7 #​672 (dependabot-preview[bot])

v1.13.5

Compare Source

Full Changelog

Changed

• [SDK-2173] Expand on behaviour of checkSession in docs #​666 (stevehobbsdev)
• [SDK-2183] Add warning when requested scopes differ from retrieved scopes #​665 (frederikprijck)
• [SDK-2170] Avoid the possibility to do simultaneous calls to the token endpoint #​664 (frederikprijck)
• [SDK-2025] Internal module refactor #​661 (stevehobbsdev)
• [SDK-2039] Change cache lookup mechanism #​652 (frederikprijck)

Fixed

• [SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #​668 (frederikprijck)

Remarks

This release updates the getUser return type to be more correct. Instead of returning Promise<TUser>, it now returns Promise<TUser | undefined>, which might lead to an Object is possible 'undefined' compiler error in situation where the return value is not checked for being undefined while having set the TypeScript's --strictNullChecks compiler flag to true.

v1.13.4

Compare Source

Full Changelog

Added

• [SDK-2172] Add SDK metrics to all API calls #​659 (frederikprijck)

Changed

• [SDK-1159] Use generics for getUser #​651 (frederikprijck)

v1.13.3

Compare Source

Full Changelog

Fixed

• [SDK-2156] Heed timeoutInSeconds when calling getTokenSilently with refresh tokens #​639 (stevehobbsdev)

v1.13.2

Compare Source

Full Changelog

Added

• [SDK-2121] Add support for token validation for Organizations #​631 (stevehobbsdev)

v1.13.1

Compare Source

Full Changelog

Changed

• [SDK-2037] Remove cacheLocation guard from checkSession #​613 (frederikprijck)
• [SDK-2092] Do not use Web Worker for Safari < 12.1 #​612 (frederikprijck)

Fixed

• Fix leaking windows message event listener #​422 (yinzara)

v1.13.0

Compare Source

Full Changelog

Added

• [SDK-2042] Fallback option for transactions using cookies #​603 (stevehobbsdev)
• Refactor logout to use buildLogoutUrl #​595 (rnwolfe)
• Add an option to extend cookie expire day #​586 (luisfmsouza)

Fixed

• Use AbortController polyfill in Web Worker #​598 (frederikprijck)
• [SDK-1994] GMaps breaks SPA JS on IE11 #​592 (adamjmcgrath)

v1.12.1

Compare Source

Full Changelog

Fixed

• Remove sessionStorage requirement from instantiation to fix SSR environments #​578 (adamjmcgrath)

v1.12.0

Compare Source

Full Changelog

Added

• [SDK-1858] Create legacy samsite cookie by default #​568 (adamjmcgrath)

Changed

• Dependency updates #​569 (stevehobbsdev)
• Update FAQ.md with information on silent authentication problems #​550 (stevehobbsdev)

Fixed

• [SDK-1837] Session storage support for transactions #​564 (stevehobbsdev)
• [SDK-1924] client methods should handle partially filled arguments #​561 (adamjmcgrath)
• [SDK-1885] Add some additional state validation #​560 (adamjmcgrath)
• [SDK-1912] Unnecessary latency in getTokenSilently with primed cache #​558 (adamjmcgrath)
• fix: add missing types to utils.ts and errors.ts #​547 (SeyyedKhandon)
• Exclude windows absolute paths as well as posix #​534 (adamjmcgrath)

v1.11.0

Compare Source

Full Changelog

Added

• [SDK-1560] Allow issuer as url #​523 (adamjmcgrath)
• [SDK-1790] use refresh_tokens with multiple audiences #​521 (adamjmcgrath)
• [SDK-1650] Add message to errors that don't have one #​520 (adamjmcgrath)

Fixed

• [SDK-1798] prevent unnecessary token requests #​525 (adamjmcgrath)
• [SDK-1789] Add custom initial options to the 2 getToken methods #​524 (adamjmcgrath)

v1.10.0

Compare Source

Full Changelog

Changed

• [SDK-1696] Allow caller of cache.get to specify an expiry time adjustment #​491 (stevehobbsdev)

Fixed

• Don't include mocks in build #​503 (adamjmcgrath)
• [SDK-1699] Fix ID token validation for auth_time #​497 (stevehobbsdev)
• Add secure attribute to cookies if served over HTTPS #​472 (ties-v)

v1.9.0

Compare Source

Full Changelog

Added

• [SDK-1695] Add auth0Client option so wrapper libraries can send their own client info #​490 (adamjmcgrath)
• Add checkSession and ignore recoverable errors #​482 (adamjmcgrath)

Fixed

• Update docs for returnTo and client_id params on logout #​484 (stevehobbsdev)

v1.8.2

Compare Source

Full Changelog

Fixed

• [SDK-1640] Allow the client to be constructed in a Node SSR environment #​471 (adamjmcgrath)
• [SDK-1634] Pass custom options to the token endpoint #​465 (stevehobbsdev)
• [SDK-1649] Fix issue where cache was missed when scope parameter was provided #​461 (adamjmcgrath)

v1.8.1

Compare Source

Full Changelog

Fixed

• Fix issue with create-react-app webpack build #​451 (adamjmcgrath)

v1.8.0

Compare Source

Full Changelog

Added

• [SDK-1417] Customizable default scopes #​435 (stevehobbsdev)
• include polyfill for Set #​426 (tony-aq)

Fixed

• Update rollup-plugin-web-worker-loader to 1.1.1 #​443 (stevehobbsdev)
• Updated login_hint js docs to clarify usage with Lock #​441 (stevehobbsdev)

v1.7.0

Compare Source

Full Changelog

Added

• Support for rotating refresh tokens #​315 (stevehobbsdev)
• Export types from global TypeScript file. #​310 (maxswa)
• Local Storage caching mechanism #​303 (stevehobbsdev)

Changed

• Use Web Workers for token endpoint call for in-memory storage #​409 (adamjmcgrath)
• Export constructor #​385 (adamjmcgrath)
• Fall back to iframe method if no refresh token is available #​364 (stevehobbsdev)
• Removed setTimeout cache removal in favour of removal-on-read #​354 (stevehobbsdev)
• Stop checking isAuthenticated cookie on initialization when using local storage #​352 (stevehobbsdev)
• getTokenSilently retry logic #​336 (stevehobbsdev)
• Fixed issue with cache not retaining refresh token #​333 (stevehobbsdev)

Fixed

• Check if source of event exists before closing it #​410 (gerritdeperrit)
• Check if iframe is still in body before removing #​399 (paulfalgout)
• Fix typings to allow custom claims in ID token #​386 (picosam)
• Fix error in library type definitions #​367 (devoto13)

Security

• Dependency upgrade #​405 (stevehobbsdev)

v1.6.5

Compare Source

Full Changelog

Changed

• [SDK-1395] Refactor loginWithPopup to optionally accept an existing popup window #​368 (stevehobbsdev)
• handleRedirectCallback wont pass redirect_uri undefined if not set in transaction #​374 (albertlockett)
• Update dependencies within semver ranges #​371 (stevehobbsdev)
• [SDK-1099] Add localOnly logout option #​362 (adamjmcgrath)
• center popup over owner window #​356 (ggascoigne)

Fixed

• [SDK-1127] Delay removal of iframe to prevent Chrome hanging status bug #​240 [#​376](https://redirect.github.com/

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.