chore(deps-dev): bump @node-oauth/oauth2-server from 4.3.3 to 5.3.0

[dependabot]

Bumps @node-oauth/oauth2-server from 4.3.3 to 5.3.0.

Release notes

Sourced from @​node-oauth/oauth2-server's releases.

5.3.0

Attention! This release fixes a reported vulnerability in the PKCE workflow!

Read more here: GHSA-jhm7-29pj-4xvf

This affects all versions below 5.3.0.

What's Changed

PKCE fixes

• proper enforcement of parameter ABNF
• failed PKCE challenge revokes authorization code to prevent brute force
• challenge comparison using timing safe comparison
• plain challenges need explicit option enablePlainPKCE to be true when creating a new server instance

Other improvements

• Expose options property on OAuth2Server class types by @​wille in node-oauth/node-oauth2-server#378
• ci: bump node versions to minimum 20 by @​jankapunkt in node-oauth/node-oauth2-server#383
• fix: pass proper arguments to createHash by @​jankapunkt in node-oauth/node-oauth2-server#387
• Docs: vitepress by @​jankapunkt in node-oauth/node-oauth2-server#388

Dependencies

• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in node-oauth/node-oauth2-server#364
• build(deps-dev): bump mocha from 11.7.1 to 11.7.2 by @​dependabot[bot] in node-oauth/node-oauth2-server#366
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in node-oauth/node-oauth2-server#369
• build(deps-dev): bump mocha from 11.7.2 to 11.7.3 by @​dependabot[bot] in node-oauth/node-oauth2-server#371
• build(deps-dev): bump mocha from 11.7.3 to 11.7.4 by @​dependabot[bot] in node-oauth/node-oauth2-server#372
• build(deps): bump github/codeql-action from 3 to 4 by @​dependabot[bot] in node-oauth/node-oauth2-server#373
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in node-oauth/node-oauth2-server#374
• build(deps-dev): bump mocha from 11.7.4 to 11.7.5 by @​dependabot[bot] in node-oauth/node-oauth2-server#375
• build(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in node-oauth/node-oauth2-server#380
• build(deps): bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in node-oauth/node-oauth2-server#381
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in node-oauth/node-oauth2-server#382
• build(deps-dev): bump sinon from 21.0.0 to 21.0.1 by @​dependabot[bot] in node-oauth/node-oauth2-server#385
• build(deps-dev): bump chai from 4.5.0 to 6.2.2 by @​dependabot[bot] in node-oauth/node-oauth2-server#386
• build(deps): bump actions/upload-pages-artifact from 3 to 4 by @​dependabot[bot] in node-oauth/node-oauth2-server#392
• build(deps): bump actions/setup-node from 4 to 6 by @​dependabot[bot] in node-oauth/node-oauth2-server#393
• build(deps): bump actions/configure-pages from 4 to 5 by @​dependabot[bot] in node-oauth/node-oauth2-server#394
• build(deps): bump actions/checkout from 4 to 6 by @​dependabot[bot] in node-oauth/node-oauth2-server#395
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 by @​dependabot[bot] in node-oauth/node-oauth2-server#396
• build(deps-dev): bump vitepress from 2.0.0-alpha.15 to 2.0.0-alpha.16 by @​dependabot[bot] in node-oauth/node-oauth2-server#401
• build(deps): bump minimatch by @​dependabot[bot] in node-oauth/node-oauth2-server#407
• build(deps-dev): bump rollup from 4.54.0 to 4.59.0 by @​dependabot[bot] in node-oauth/node-oauth2-server#408
• build(deps-dev): bump sinon from 21.0.1 to 21.0.3 by @​dependabot[bot] in node-oauth/node-oauth2-server#413
• build(deps-dev): bump nyc from 17.1.0 to 18.0.0 by @​dependabot[bot] in node-oauth/node-oauth2-server#406
• build(deps): bump actions/configure-pages from 5 to 6 by @​dependabot[bot] in node-oauth/node-oauth2-server#420
• build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @​dependabot[bot] in node-oauth/node-oauth2-server#419

Full Changelog: node-oauth/node-oauth2-server@v5.2.1...v5.3.0

... (truncated)

Changelog

Sourced from @​node-oauth/oauth2-server's changelog.

Changelog

5.0.0

This release contains several breaking changes. Please carefully consult the documentation while updating.

• removed bluebird and promisify-any
• uses native Promises and async/await everywhere
• drop support for Node 14 (EOL), setting Node 16 as engine in package.json
• this is a breaking change, because it removes callback support for OAuthServer and your model implementation.
• fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
• fix scope validation bug
• revoke code before validating redirect URI
• improved Bearer token validation
• validate scope as an array of strings (breaking change)
• model support for retrieving user based on client
• more tests added; test coverage improved

4.2.0

Fixed

• fix(core): Bearer regular expression matching in authenticate handler #105
• fix(request): set WWW-Authenticate header for invalid requests #96 oauthjs#646
• fix(handler): deny access when body.allowed is 'false' (#94)
• fix(handlers): skip varcheck for state when allowEmptyState #89 #93

Added

• supported custom validateRedirectUri
• feature: Supported state in case of denialMerge #99
• Bearer regular expression matching in authenticate handler
• docs: Update extension-grants.rst with example #92
• feature(core): extract is.js into standalone package @​node-oauth/formats #55
• feature(authorize): allow custom implementations of validateRedirectUri via model #89 p.4
  • support custom validateRedirectUri()
  • allow to implement model.validateRedirectUri
  • updated AuthorizeHandler
  • default conforms with RFC 6819 Section-5.2.3.5

Tests

• Integration test password grant (#100)
  • test example
  • created db & model factories
  • added refresh_token grant type test
  • removed failing test, not implemented feature
  • add reference to issue
  • client authentication test
  • random client credentials in test
  • replace math.random by crypto.randomBytes

... (truncated)

Commits

• cc70455 fix(deps): update package-lock after bumping package version
• ef467c9 Merge commit from fork
• 8a35509 publish 5.3.0
• fe22982 fix: always perform timing safe euqal check on PKCE challenge
• e2fcac4 fix: cover thrown errors in PKCE tests
• 2d0659f fix: multiple PKCE vulnerabilities addressed
• 79b7cf5 Merge pull request #419 from node-oauth/dependabot/npm_and_yarn/handlebars-4.7.9
• a9c6028 Merge pull request #420 from node-oauth/dependabot/github_actions/actions/con...
• 8b54e5b build(deps): bump actions/configure-pages from 5 to 6
• ba80c3b build(deps-dev): bump handlebars from 4.7.8 to 4.7.9
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[danielpeintner]

Token seems to have changed!?

https://github.com/eclipse-thingweb/node-wot/actions/runs/25578711025/job/75092156689?pr=1518#step:9:229