chore(deps): update dependency @auth0/auth0-spa-js to v1.22.6

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@auth0/auth0-spa-js	1.6.0 → 1.22.6

---

Release Notes

auth0/auth0-spa-js (@​auth0/auth0-spa-js)

v1.22.6

Compare Source

Security

• Bump jsonwebtoken to v9 #​1065 (frederikprijck)

This patch release is identical to 1.22.5 but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken being used.

Even though 1.22.5 was not vulnerable for the related CVE because of the fact that jsonwebtoken is a devDependency, we are cutting a release to ensure build tools no longer report our SDK as vulnerable to the mentioned CVE.

v1.22.5

Compare Source

Full Changelog

Fixed

• Ensure getTokenSilently works when mixing return types #​1016 (frederikprijck)

v1.22.4

Compare Source

Full Changelog

Fixed

• Release lock on pagehide #​974 (frederikprijck)

v1.22.3

Compare Source

Full Changelog

Changed

• feat(ClientStorage#remove):added support of cookieDomain #​935 (Dannnir)

Fixed

• Pin es-cookie to patch versions only #​965 (frederikprijck)

v1.22.2

Compare Source

Full Changelog

Changed

• Avoid sending unnecessary request parameters #​920 (frederikprijck)

v1.22.1

Compare Source

Full Changelog

Changed

• Stronger typing for screen_hint property #​912 (iAmWillShepherd)
• Add env to auth0Client userAgent #​913 (frederikprijck)

v1.22.0

Compare Source

Full Changelog

Added

• Silent auth fallback when using Refresh Tokens can now be disabled #​907 (frederikprijck)

Security

• [Snyk] Upgrade core-js 3.22.4 #​910 (crew-security)

v1.21.1

Compare Source

Full Changelog

Fixed

• Organization ID hint cookie now respects cookieDomain config setting #​900 (Dannnir)

Security

• [Snyk] Upgrade core-js from 3.21.1 to 3.22.0 #​901 (snyk-bot)
• [Snyk] Upgrade promise-polyfill from 8.2.1 to 8.2.3 #​893 (snyk-bot)

v1.21.0

Compare Source

Full Changelog

Added

• FEAT override cookie domain option #​885 (Soviut)

Fixed

• fix: handle NPE when no popup is available #​888 (stevehobbsdev)

v1.20.1

Compare Source

Full Changelog

Fixed

• Prevent cache.get when key is undefined #​882 (stevehobbsdev)

v1.20.0

Compare Source

Full Changelog

Added

• [SDK-3105] Add httpTimeoutInSeconds to control fetch timeout #​875 (stevehobbsdev)

Changed

• clarify documentation comment for getTokenSilently #​874 (jdugan1024)

Fixed

• Fix getTokenSilently reference in example code #​868 (mdlavin)

Security

• [Snyk] Upgrade core-js from 3.20.2 to 3.20.3 #​873 (snyk-bot)
• Bump node-fetch from 2.6.1 to 2.6.7 #​870 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.20.1 to 3.20.2 #​869 (snyk-bot)
• [Snyk] Upgrade core-js from 3.20.0 to 3.20.1 #​864 (snyk-bot)

v1.19.4

Compare Source

Full Changelog

Fixed

• Org ID hint cookie expiry now aligns with is.authenticated cookie #​861 (stevehobbsdev)

Security

• Bump follow-redirects from 1.14.0 to 1.14.7 #​860 (dependabot[bot])
• [Snyk] Upgrade core-js from 3.19.2 to 3.20.0 #​858 (snyk-bot)
• [Snyk] Upgrade core-js from 3.19.1 to 3.19.2 #​851 (snyk-bot)

v1.19.3

Compare Source

Full Changelog

Changed

• Make RedirectLoginOptions and RedirectLoginResult accept generic AppState #​846 (frederikprijck)

Fixed

• Getidtokenclaims return type #​844 (jmac105)
• Add check for state in handleRedirectCallback #​841 (stevehobbsdev)
• Prevent nowProvider from being passed to authorize endpoint #​840 (stevehobbsdev)
• Fix cached scopes when using detailed response mode #​824 (stevehobbsdev)

v1.19.2

Compare Source

Full Changelog

This release fixes an anomoly with a new type we exposed in #​803, where it was incorrectly wrapped with Partial. We don't expect this change to introduce any issues, but if you are affected please raise it on our issue tracker.

Fixed

• GetTokenSilentlyVerboseResponse no longer uses partial TokenEndpointResponse type #​820 (stevehobbsdev)

v1.19.1

Compare Source

Full Changelog

Republished version 1.19.0, which got published during a period npm was suffering downtime issues, resulting in 1.19.0 being released but not installable for end users. Users should install 1.19.1 instead.

v1.19.0

Compare Source

Full Changelog

Added

• [SDK-2794] Return token response in getTokenSilently #​803 (stevehobbsdev)
• [SDK-2793] Ability to define a custom now provider #​802 (frederikprijck)

v1.18.0

Compare Source

Full Changelog

Added

• [SDK-2750] Expose mfa_token from the mfa_required error when getting new tokens #​789 (frederikprijck)

Changed

• [SDK-2759] Re-scoping cookies and transactions to client ID #​796 (stevehobbsdev)
• [SDK-2320] Throw login_required error in SPA SDK if running in a cross-origin is… #​790 (frederikprijck)

Fixed

• [SDK-2692] Remember organization ID for silent authentication #​788 (stevehobbsdev)

v1.17.1

Compare Source

Full Changelog

Fixed

• Correct cache interface #​779 (employee451)

v1.17.0

Compare Source

Full Changelog

Added

• Add useFormData to enable application/x-www-form-urlencoded requests #​768 (stevehobbsdev)

Changed

• Allow providing a domain that includes http or https. #​768 (stevehobbsdev)

v1.16.1

Compare Source

Full Changelog

Fixed

• Changes to logout and cache synchronicity #​758 (stevehobbsdev)

v1.16.0

Compare Source

Full Changelog

Added

• [SDK-2555] Extensible Cache #​743 (stevehobbsdev)

v1.15.0

Compare Source

Full Changelog

Added

• Add Popup cancelled event #​724 (degrammer)

Fixed

• Fix popup blocker showing for loginWithPopup in Firefox & Safari #​732 (stevehobbsdev)

v1.14.0

Compare Source

Full Changelog

Added

• feat(loginWithRedirect): add redirectMethod option #​717 (slaywell)
• Export errors for type checking #​716 (adamjmcgrath)

Changed

• Add screen_hint parameter to BaseLoginOptions #​721 (damieng)

Fixed

• Updated minor syntax, to allow for TypeScript compiler to be happier #​714 (kachihro)
• Revert [SDK-2183] Add warning when requested scopes differ from retrieved scopes #​712 (frederikprijck)

v1.13.6

Compare Source

Full Changelog

Changed

• Update docs for getIdTokenClaims and getUser #​690 (adamjmcgrath)
• [SDK-2238] Only use timeout promise when using fetchWithTimeout without a worker #​689 (frederikprijck)
• Do not use AbortController in the worker if not available #​679 (stevehobbsdev)
• Do not send useCookiesForTransactions to authorize request #​673 (frederikprijck)

Fixed

• Remove the nonce check in handleRedirectCallback #​678 (stevehobbsdev)

Security

• Update wait-on to solve security vulnerability #​687 (frederikprijck)
• [Security] Bump ini from 1.3.5 to 1.3.7 #​672 (dependabot-preview[bot])

v1.13.5

Compare Source

Full Changelog

Changed

• [SDK-2173] Expand on behaviour of checkSession in docs #​666 (stevehobbsdev)
• [SDK-2183] Add warning when requested scopes differ from retrieved scopes #​665 (frederikprijck)
• [SDK-2170] Avoid the possibility to do simultaneous calls to the token endpoint #​664 (frederikprijck)
• [SDK-2025] Internal module refactor #​661 (stevehobbsdev)
• [SDK-2039] Change cache lookup mechanism #​652 (frederikprijck)

Fixed

• [SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #​668 (frederikprijck)

Remarks

This release updates the getUser return type to be more correct. Instead of returning Promise<TUser>, it now returns Promise<TUser | undefined>, which might lead to an Object is possible 'undefined' compiler error in situation where the return value is not checked for being undefined while having set the TypeScript's --strictNullChecks compiler flag to true.

v1.13.4

Compare Source

Full Changelog

Added

• [SDK-2172] Add SDK metrics to all API calls #​659 (frederikprijck)

Changed

• [SDK-1159] Use generics for getUser #​651 (frederikprijck)

v1.13.3

Compare Source

Full Changelog

Fixed

• [SDK-2156] Heed timeoutInSeconds when calling getTokenSilently with refresh tokens #​639 (stevehobbsdev)

v1.13.2

Compare Source

Full Changelog

Added

• [SDK-2121] Add support for token validation for Organizations #​631 (stevehobbsdev)

v1.13.1

Compare Source

Full Changelog

Changed

• [SDK-2037] Remove cacheLocation guard from checkSession #​613 (frederikprijck)
• [SDK-2092] Do not use Web Worker for Safari < 12.1 #​612 (frederikprijck)

Fixed

• Fix leaking windows message event listener #​422 (yinzara)

v1.13.0

Compare Source

Full Changelog

Added

• [SDK-2042] Fallback option for transactions using cookies #​603 (stevehobbsdev)
• Refactor logout to use buildLogoutUrl #​595 (rnwolfe)
• Add an option to extend cookie expire day #​586 (luisfmsouza)

Fixed

• Use AbortController polyfill in Web Worker #​598 (frederikprijck)
• [SDK-1994] GMaps breaks SPA JS on IE11 #​592 (adamjmcgrath)

v1.12.1

Compare Source

Full Changelog

Fixed

• Remove sessionStorage requirement from instantiation to fix SSR environments #​578 (adamjmcgrath)

v1.12.0

Compare Source

Full Changelog

Added

• [SDK-1858] Create legacy samsite cookie by default #​568 (adamjmcgrath)

Changed

• Dependency updates #​569 (stevehobbsdev)
• Update FAQ.md with information on silent authentication problems #​550 (stevehobbsdev)

Fixed

• [SDK-1837] Session storage support for transactions #​564 (stevehobbsdev)
• [SDK-1924] client methods should handle partially filled arguments #​561 (adamjmcgrath)
• [SDK-1885] Add some additional state validation #​560 (adamjmcgrath)
• [SDK-1912] Unnecessary latency in getTokenSilently with primed cache #​558 (adamjmcgrath)
• fix: add missing types to utils.ts and errors.ts #​547 (SeyyedKhandon)
• Exclude windows absolute paths as well as posix #​534 (adamjmcgrath)

v1.11.0

Compare Source

Full Changelog

Added

• [SDK-1560] Allow issuer as url #​523 (adamjmcgrath)
• [SDK-1790] use refresh_tokens with multiple audiences #​521 (adamjmcgrath)
• [SDK-1650] Add message to errors that don't have one #​520 (adamjmcgrath)

Fixed

• [SDK-1798] prevent unnecessary token requests #​525 (adamjmcgrath)
• [SDK-1789] Add custom initial options to the 2 getToken methods #​524 (adamjmcgrath)

v1.10.0

Compare Source

Full Changelog

Changed

• [SDK-1696] Allow caller of cache.get to specify an expiry time adjustment #​491 (stevehobbsdev)

Fixed

• Don't include mocks in build #​503 (adamjmcgrath)
• [SDK-1699] Fix ID token validation for auth_time #​497 (stevehobbsdev)
• Add secure attribute to cookies if served over HTTPS #​472 (ties-v)

v1.9.0

Compare Source

Full Changelog

Added

• [SDK-1695] Add auth0Client option so wrapper libraries can send their own client info #​490 (adamjmcgrath)
• Add checkSession and ignore recoverable errors #​482 (adamjmcgrath)

Fixed

• Update docs for returnTo and client_id params on logout #​484 (stevehobbsdev)

v1.8.2

Compare Source

Full Changelog

Fixed

• [SDK-1640] Allow the client to be constructed in a Node SSR environment #​471 (adamjmcgrath)
• [SDK-1634] Pass custom options to the token endpoint #​465 (stevehobbsdev)
• [SDK-1649] Fix issue where cache was missed when scope parameter was provided #​461 (adamjmcgrath)

v1.8.1

Compare Source

Full Changelog

Fixed

• Fix issue with create-react-app webpack build #​451 (adamjmcgrath)

v1.8.0

Compare Source

Full Changelog

Added

• [SDK-1417] Customizable default scopes #​435 (stevehobbsdev)
• include polyfill for Set #​426 (tony-aq)

Fixed

• Update rollup-plugin-web-worker-loader to 1.1.1 #​443 (stevehobbsdev)
• Updated login_hint js docs to clarify usage with Lock #​441 (stevehobbsdev)

v1.7.0

Compare Source

Full Changelog

Added

• Support for rotating refresh tokens #​315 (stevehobbsdev)
• Export types from global TypeScript file. #​310 (maxswa)
• Local Storage caching mechanism #​303 (stevehobbsdev)

Changed

• Use Web Workers for token endpoint call for in-memory storage #​409 (adamjmcgrath)
• Export constructor #​385 (adamjmcgrath)
• Fall back to iframe method if no refresh token is available #​364 (stevehobbsdev)
• Removed setTimeout cache removal in favour of removal-on-read #​354 (stevehobbsdev)
• Stop checking isAuthenticated cookie on initialization when using local storage #​352 (stevehobbsdev)
• getTokenSilently retry logic #​336 (stevehobbsdev)
• Fixed issue with cache not retaining refresh token #​333 (stevehobbsdev)

Fixed

• Check if source of event exists before closing it #​410 (gerritdeperrit)
• Check if iframe is still in body before removing #​399 (paulfalgout)
• Fix typings to allow custom claims in ID token #​386 (picosam)
• Fix error in library type definitions #​367 (devoto13)

Security

• Dependency upgrade #​405 (stevehobbsdev)

v1.6.5

Compare Source

Full Changelog

Changed

• [SDK-1395] Refactor loginWithPopup to optionally accept an existing popup window #​368 (stevehobbsdev)
• handleRedirectCallback wont pass redirect_uri undefined if not set in transaction #​374 (albertlockett)
• Update dependencies within semver ranges #​371 (stevehobbsdev)
• [SDK-1099] Add localOnly logout option #​362 (adamjmcgrath)
• center popup over owner window #​356 (ggascoigne)

Fixed

• [SDK-1127] Delay removal of iframe to prevent Chrome hanging status bug #​240 #​376 (adamjmcgrath)
• [SDK-1125] createAuth0Client now throws errors that are not login_required #​369 (stevehobbsdev)

v1.6.4

Compare Source

Full Changelog

Changed

• [SDK-1308] Return appState value on error from handleRedirectCallback #​348 (stevehobbsdev)
• Configurable timeout for getTokenSilently() #​347 (Serjlee)

v1.6.3

Compare Source

Full Changelog

Fixed

• Send same redirect_uri as /authorize to /token #​341 (stevehobbsdev)
• No longer acquires a browser lock if there was a hit on the cache #​339 (stevehobbsdev)
• Use user provided params on silent login #​318 (nkete)

v1.6.2

Compare Source

Full Changelog

Removed

Removed future issued-at claim check stevehobbsdev - #​329

v1.6.1

Compare Source

Fixed

Included core-js polyfill for String.includes to fix an issue with browser-tabs-lock in IE11 stevehobbsdev - #​325
Added import definition to Getting Started section in the Readme for clarity thundermiracle - #​294

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.