Dependency "cb" causing security issues in Nexus because of missing LICENSE file and being 10 years from last update

[awacode21]

Describe the problem

We are using express-openid-connect for our project to do the whole auth0 process.
But our production build is no longer able to build because Nexus complains about Security vulnaribilities. It is complaing about the dependency "cb" used by express-openid-connect as it is missing a LICENSE file and that the package is older than 5 years, actually the last update was 10 years ago.

Is there any chance to replace this outdated dependency?

What was the expected behavior?

My project should be able to use express-openid-connect without running into security vulnerabilities. I expect express-openid-connect to use mantained packages and not totally outdated stuff.

• Version of this library used:
  LATEST

[kmannislands]

Looks like the cb dependency is used in 2 files with 3 total calls. It is used to ensure a callback is executed once.

This is trivial to replace with code in express-openid-connect and a seems to me to be an example of the 'install a module for everything' anti pattern so commonplace the js ecosystem.

IMO, this dependency should definitely be removed.

[awacode21]

thank you so much for the quick reply and fix. When the fix will be released? @adamjmcgrath @kmannislands

[adamjmcgrath]

Hey @awacode21 - I'll put out a release next week

[awacode21]

Great thanks!

[adamjmcgrath]

👋 @awacode21 - this got released in 2.11.0