Update dependency passport-oauth2 to v1.6.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
passport-oauth2	1.5.0 → 1.6.1

GitHub Vulnerability Alerts

CVE-2021-41580

The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. This is exploitable in certain use cases where an OAuth identity provider uses an HTTP 200 status code for authentication-failure error reports, and an application grants authorization upon simply receiving the access token (i.e., does not try to use the token). NOTE: the passport-oauth2 vendor does not consider this a passport-oauth2 vulnerability.

---

Release Notes

jaredhanson/passport-oauth2 (passport-oauth2)

v1.6.1

Compare Source

Fixed

• Error in cases where the authorization server returns a successful access
  token response which is missing an access_token parameter.

v1.6.0

Compare Source

Added

• Support for store: true option to Strategy constructor, which initializes
  a state store capable of storing application-level state.
• Support for state object passed as option to authenticate, which will be
  persisted in the session by state store.
• callbackURL property added to metadata passed to state store.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.