chore(deps): upgrade auth0-password-policies to 3.1.0#2769
Closed
ankita10119 wants to merge 1 commit intomasterfrom
Closed
chore(deps): upgrade auth0-password-policies to 3.1.0#2769ankita10119 wants to merge 1 commit intomasterfrom
ankita10119 wants to merge 1 commit intomasterfrom
Conversation
7 tasks
ankita10119
added a commit
that referenced
this pull request
Apr 6, 2026
…s to 3.1.0, and fix dev setup (#2771) ### Changes This PR consolidates three related dependency upgrades and fixes the local development setup that had been broken since PR #2622 . It supersedes #2769 (which will be closed). 1. **webpack-dev-server** `v4 `→ `v5` (`package.json`, `webpack.config.js`) PR #2622 bumped **webpack-dev-server** from `4.15.2` to `5.2.1`. This was a breaking change that went unnoticed because CI only runs tests, it never starts the dev server. Running npm start after that bump resulted in: _ValidationError: Invalid options object. Dev Server has been initialized using an options object that does not match the API schema. - options has an unknown property 'https'._ **Root cause**: webpack-dev-server v5 removed the https shorthand option that existed in v4. The replacement is the server object API. Fix in `webpack.config.js`: // Before (v4 API — broken in v5) `https: getDevCerts() || true` // After (v5 API) ``` server: { type: 'https', options: getDevCerts() || {} } ``` `package.json`: Version constraint updated from ^4.15.2 back to ^5.2.1 (resolves to 5.2.3, also covering PR #2767's bump). 2. Fix 403 Forbidden when loading bundle from Auth0 hosted pages (webpack.config.js) After fixing the startup crash, a second issue surfaced when testing against a custom hosted login page on manage.auth0.com: the browser reported Auth0Lock is not defined.Inspecting the Network tab showed the bundle request returning 403 Forbidden. **Root cause**: webpack-dev-server v5 introduced a security middleware (cross-origin-header-check) that blocks any request where both of these are true: - `sec-fetch-mode: no-cors` — always set by <script> tags - `sec-fetch-site: cross-site` — always set when an external origin (e.g. manage.auth0.com) loads a resource from localhost:3000 The combination of these two headers causes webpack-dev-server to return 403 before the bundle is served. **Fix**: ` allowedHosts: 'all'` This disables the cross-origin host check. It is safe for a local dev server — it has no effect on production builds and only applies when npm start is running. The original v4 server had no such restriction. 3. **auth0-password-policies** `1.0.2` → `3.1.0` and password-sheriff `1.1.1` → `2.0.0` (`package.json`, `webpack.config.js`) `auth0-password-policies@1.0.2` was published in November 2018. After 7 years of inactivity, versions 1.1.0 through 3.1.0 were released between August 2025 and February 2026.Dependabot opened PR #2705 targeting 1.1.1 (the first post-gap release), but that PR failed CI and was superseded by two further major versions before it could be merged. This PR jumps directly to the current latest (3.1.0). **Why password-sheriff is also bumped**: `auth0-password-policies@3.x` declares `password-sheriff@^2.0.0` as a peer/dependency. Lock also uses password-sheriff directly in src/field/password.js and `src/ui/input/password/password_strength.jsx `via `password-sheriff/lib/policy`. The `lib/policy.js` API is identical between `v1` and `v2` , the only additions are two new built-in rule types (sequentialChars, maxLength) which Lock does not use. Bumping Lock's direct constraint to ^2.0.0 avoids having two copies of password-sheriff in the install tree. **Why webpack.config.js needed a new babel-loader rule**: `auth0-password-policies@3.1.0` ships its source with ES2020 syntax (optional chaining ?.). The project runs es-check es2017 against the built bundle as a CI gate. The existing webpack babel rule has `exclude: node_modules`, so third-party packages are bundled as-is. For most packages this is fine since they ship pre-built ES5, but auth0-password-policies does not. A dedicated babel-loader rule for `auth0-password-policies` is added before the main rule. There is one non-obvious subtlety: Babel 7's `.babelrc` is file-relative, it only applies to files within the same package root and is silently ignored when Babel processes files in a different package under node_modules. This means Babel would run but apply no transforms, leaving ?. in the output. The fix is to pass presets explicitly in the rule's options alongside configFile: false and `babelrc: false`, so Babel uses exactly those presets regardless of config file boundaries: ``` { test: /\.js$/, include: path.join(__dirname, 'node_modules', 'auth0-password-policies'), loader: 'babel-loader', options: { presets: [['@babel/preset-env', { useBuiltIns: 'entry', corejs: '3.26.1' }]], configFile: false, babelrc: false } } ``` 4. Fix webpack 5 compilation warning for CordovaAuth0Plugin (`src/core/web_api/p2_api.js`) After the auth0-js bump in PR #2766 (9.30.1 → 9.32.0), webpack emitted two warnings on every build: ``` WARNING in ./src/core/web_api/p2_api.js export 'default' (imported as 'CordovaAuth0Plugin') was not found in 'auth0-js/dist/cordova-auth0-plugin.min.js' (module has no exports) ``` **Root cause**: `cordova-auth0-plugin.min.js` uses a UMD format (module.exports = factory()). Webpack 5's static analysis cannot resolve a default export from a module.exports assignment inside a UMD IIFE, so it warns when the file is imported with ES module import default syntax. **Fix**: Replace the ES module import with require(), which webpack handles correctly for CommonJS/UMD modules: // Before `import CordovaAuth0Plugin from 'auth0-js/dist/cordova-auth0-plugin.min.js';` // After `const CordovaAuth0Plugin = require('auth0-js/dist/cordova-auth0-plugin.min.js');` Runtime behaviour is unchanged, the `typeof CordovaAuth0Plugin === 'function'` guard already in place handles the case where the plugin is unavailable. ### References - Supersedes #2769 - Supersedes #2705 - Fixes dev setup broken by #2622 - Related to #2767 (webpack-dev-server 5.2.1 → 5.2.3, covered by ^5.2.1 range) - Related to #2766 (auth0-js 9.30.1 → 9.32.0, source of the CordovaAuth0Plugin warning) ### Testing Tested with local development setup. * [ ] This change adds unit test coverage * [ ] This change adds integration test coverage * [ ] This change has been tested on the latest version of the platform/language ### Checklist * [ ] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) * [ ] All code quality tools/guidelines have been run/followed * [ ] All relevant assets have been compiled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Upgrades
auth0-password-policiesfrom1.0.2to3.1.0(latest) and password-sheriff from1.1.1to2.0.0.Background
auth0-password-policies@1.0.2was published in November 2018. The package was dormant for 7 years and then released1.1.0through3.1.0in rapid succession between August 2025 and February 2026. Dependabot previously opened PR #2705 targeting 1.1.1 (the first release after the gap), but that PR is stale and was superseded by two further major versions before it could be merged. This PR jumps directly to the current latest.Why password-sheriff is also bumped:
auth0-password-policies@3.xdepends onpassword-sheriff@^2.0.0. Lock also uses password-sheriff directly (src/field/password.js,src/ui/input/password/password_strength.jsx) via password-sheriff/lib/policy. Thelib/policy.jsAPI is identical between v1 and v2 - the only addition is two new built-in rule types (sequentialChars, maxLength) which lock does not use. Bumping lock's direct constraint to ^2.0.0 avoids having two versions of password-sheriff in the install tree.Why webpack.config.js needed a change:
auth0-password-policies@3.1.0ships with ES2020 syntax (optional chaining ?.) in its source. The project runs es-check es2017 against the built bundle as a CI gate. The existing webpack babel rule hasexclude: node_modules, which means third-party packages are bundled as-is without transpilation. For most packages this is fine since they ship pre-built ES5, but auth0-password-policies does not.Adding a dedicated
babel-loaderrule forauth0-password-policiesbefore the main rule handles this. There is one non-obvious subtlety: Babel 7's.babelrcis file-relative, it only applies to files within the same package root and is not used when babel processes files in a different package undernode_modules. This means babel would run but apply no transforms, leaving ?. in the output. The fix is to pass presets explicitly in the rule's options alongside configFile: false andbabelrc: false, so babel knows exactly what to do with the file regardless of config file boundaries.References
Supersedes #2705
Testing
Checklist