Remove webcrypto-shim@0.1.7 & p-finally as security scan is throwing component end of life error

Hi team,

I’m using @oktaokta/okta-auth-js in an enterprise project, and our security scan flagged
a few deprecated and inactive transitive dependencies that come through the SDK.
These are not direct dependencies in our code, but they are introduced indirectly
through the Okta Auth JS package.

Package versi@oktan:
@okta/okta-auth-js – tested with 7.14.0

Transitive dependencies flagged:

• p-finally@1.0.0 (deprecated)
• webcrypto-shim@0.1.7 (outdated WebCrypto polyfill)
• regenerator-runtime@0.14.1 (inactive maintenance)

Dependency chain example from our environment:

@okta/okta-auth-js
→ broadcast-channel
→ p-queue
→ p-timeout
→ p-finally (deprecated)

Although these packages do not have any known vulnerabilities, we are reaching out because they are deprecated and still included as transitive dependencies.

Request:
Is there any plan or roadmap to:

1. Update or replace these outdated transitive dependencies, or

2. Modernize the dependency chain in future releases?

Even a small update or guidance would help us.

Thank you!

Hi @chaitanya.mula ,

Welcome to the community!

Thanks for reporting this. The closest open issue I see to this one is

i wonder if the same upgrade fix will address some of the issues you identified.

Would you mind posting this question to

Our SDK engineers can better respond with roadmaps for SDK work.

Happy coding!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.