Cleanup of deprecated transitive dependencies in @okta/okta-auth-js

Hi team,

I’m using @okta/okta-auth-js in an enterprise project, and our security scan flagged
a few deprecated and inactive transitive dependencies that come through the SDK.
These are not direct dependencies in our code, but they are introduced indirectly
through the Okta Auth JS package.

Package version:
@okta/okta-auth-js – tested with 7.14.0

Transitive dependencies flagged:

• p-finally@1.0.0 (deprecated)
• webcrypto-shim@0.1.7 (outdated WebCrypto polyfill)
• regenerator-runtime@0.14.1 (inactive maintenance)

Dependency chain example from our environment:

@okta/okta-auth-js
→ broadcast-channel
→ p-queue
→ p-timeout
→ p-finally (deprecated)

Although these packages do not have any known vulnerabilities, we are reaching out because they are deprecated and still included as transitive dependencies.

Request:
Is there any plan or roadmap to:

1. Update or replace these outdated transitive dependencies, or
2. Modernize the dependency chain in future releases?

Even a small update or guidance would help us.

Thank you!

There is an ongoing plan to address some of the outdated dependencies in the @okta/okta-auth-js package, but some are tied to older browser support.

• The broadcast-channel package is planned to be updated in a future release
• The existence of other dependencies is likely to continue as long as official support for IE11 remains a requirement for the SDK. Once IE11 support is officially dropped, these dependencies can be removed or modernized.

As far as future roadmap, we recommend exploring the new client SDK for authentication that is currently in beta.

• GitHub - okta/okta-client-javascript: A collection of OAuth2 client libraries in JavaScript is being developed to align with modern web standards and does not include these specific outdated dependencies.

• This is not published to any package managers yet, but you will be able to build it locally and try it out.