auth0-js 9.26.1 using deprecated version of superagent 7.6.1 which contains references to polyfills.io - responsible for a recent supply chain attack

[PriyankaRbakhshi]

Checklist

• The issue can be reproduced in the auth0-js sample app (or N/A).
• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

auth0-js@9.26.1 has a dependency on superagent 7.6.1 which is deprecated. Superagent 7.6.1 contains a README.MD page which mentions about polyfills.io. polyfills.io has been recently linked to a supply chain attack, please see the links below:

https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
https://www.sonatype.com/blog/polyfill.io-supply-chain-attack-hits-100000-websites-all-you-need-to-know

You can also find more details on the below site with examples :
https://sansec.io/research/polyfill-supply-chain-attack

auth0-js should be updated to use latest superagent dependency version 9 and above.

Reproduction

npm install auth0-js
npm ls superagent

README.md

Additional context

We are installing auth0-js using npm and don't use scripts or cdn.

auth0-js version

9.26.1

Which browsers have you tested in?

Chrome

[PriyankaRbakhshi]

Hello, any update on this issue?

[andrejmoltok]

I am curious aout this as well, since Auth0 recommends to use this library in conjunction with e.g. Auth0-React sdk.

BUMP!