feat: add storagePrefix option to react sdk

[gustavofabro-i2p]

Related Issues

Related PRs

#265

Description

Add storagePrefix option to react SDK

Must

• Tests
• Documentation (if applicable)

[vercel]

@gustavofabro is attempting to deploy a commit to the descope Team on Vercel.

A member of the Team first needs to authorize it.

[wiz-d45ab51820]

Wiz Scan Summary

Displaying only findings that violated a policy

Scanner	Findings
Vulnerabilities	3
Sensitive Data	-
Total	3

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-d45ab51820]

 Vulnerability Finding on line 0

More Details

Vulnerabilities [form-data:4.0.0]

Name	Severity	Source	Fixed version	CVSS score	CVSS exploitability score	Has public exploit	Has CISA KEV exploit
CVE-2025-7783		GHSA-fjxv-7rqg-78g4	4.0.4	9.4	-	false	false

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

[wiz-d45ab51820]

 Vulnerability Finding on line 0

More Details

Vulnerabilities [next:14.2.21]

Name	Severity	Source	Fixed version	CVSS score	CVSS exploitability score	Has public exploit	Has CISA KEV exploit
CVE-2025-29927		GHSA-f82v-jwr5-mffw	14.2.25	9.1	3.9	true	false
CVE-2025-32421		GHSA-qpjv-v59x-3qc4	14.2.24	3.7	2.2	false	false
CVE-2025-48068		GHSA-3h52-269p-cp9r	14.2.30	2.3	2.8	false	false
CVE-2025-55173		GHSA-xv57-4mr9-wg8v	14.2.31	4.3	2.8	false	false
CVE-2025-57752		GHSA-g5qg-72qw-gw5v	14.2.31	6.2	2.5	false	false
CVE-2025-57822		GHSA-4342-x723-ch2f	14.2.32	8.2	3.9	false	false

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

[wiz-d45ab51820]

 Vulnerability Finding on line 0

More Details

Vulnerabilities [next:14.2.10]

Name	Severity	Source	Fixed version	CVSS score	CVSS exploitability score	Has public exploit	Has CISA KEV exploit
CVE-2024-51479		GHSA-7gfc-8cq8-jh5f	14.2.15	7.5	3.9	false	false
CVE-2024-56332		GHSA-7m27-7ghc-44w9	14.2.21	5.3	3.9	false	false
CVE-2025-29927		GHSA-f82v-jwr5-mffw	14.2.25	9.1	3.9	true	false
CVE-2025-32421		GHSA-qpjv-v59x-3qc4	14.2.24	3.7	2.2	false	false
CVE-2025-48068		GHSA-3h52-269p-cp9r	14.2.30	2.3	2.8	false	false
CVE-2025-55173		GHSA-xv57-4mr9-wg8v	14.2.31	4.3	2.8	false	false
CVE-2025-57752		GHSA-g5qg-72qw-gw5v	14.2.31	6.2	2.5	false	false
CVE-2025-57822		GHSA-4342-x723-ch2f	14.2.32	8.2	3.9	false	false

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

[asafshen]

very neat! thanks for the contribution!

there are other usage of the storage prefixes that I'm not sure that are considered, such as

• Descope component (descope-wc inside web-compoent package) also creates an sdk
• Widgets as well

we need to address those as well

[asafshen]

storage prefix should also be in the deps array

[gustavofabro-i2p]

Done, thanks!

[gustavofabro-i2p]

very neat! thanks for the contribution!

there are other usage of the storage prefixes that I'm not sure that are considered, such as

• Descope component (descope-wc inside web-compoent package) also creates an sdk
• Widgets as well

we need to address those as well

The widget components have been updated, but I'm not sure about descope-wc. The React wrapper for the web component is overriding persistToken as false (global SDK will handle token management in this case), so from our tests, there's no effect if I pass the storagePrefix to the React Descope component