chore(deps): upgrade auth0-password-policies to 3.1.0#2769
Open
ankita10119 wants to merge 1 commit intomasterfrom
Open
chore(deps): upgrade auth0-password-policies to 3.1.0#2769ankita10119 wants to merge 1 commit intomasterfrom
ankita10119 wants to merge 1 commit intomasterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Upgrades
auth0-password-policiesfrom1.0.2to3.1.0(latest) and password-sheriff from1.1.1to2.0.0.Background
auth0-password-policies@1.0.2was published in November 2018. The package was dormant for 7 years and then released1.1.0through3.1.0in rapid succession between August 2025 and February 2026. Dependabot previously opened PR #2705 targeting 1.1.1 (the first release after the gap), but that PR is stale and was superseded by two further major versions before it could be merged. This PR jumps directly to the current latest.Why password-sheriff is also bumped:
auth0-password-policies@3.xdepends onpassword-sheriff@^2.0.0. Lock also uses password-sheriff directly (src/field/password.js,src/ui/input/password/password_strength.jsx) via password-sheriff/lib/policy. Thelib/policy.jsAPI is identical between v1 and v2 - the only addition is two new built-in rule types (sequentialChars, maxLength) which lock does not use. Bumping lock's direct constraint to ^2.0.0 avoids having two versions of password-sheriff in the install tree.Why webpack.config.js needed a change:
auth0-password-policies@3.1.0ships with ES2020 syntax (optional chaining ?.) in its source. The project runs es-check es2017 against the built bundle as a CI gate. The existing webpack babel rule hasexclude: node_modules, which means third-party packages are bundled as-is without transpilation. For most packages this is fine since they ship pre-built ES5, but auth0-password-policies does not.Adding a dedicated
babel-loaderrule forauth0-password-policiesbefore the main rule handles this. There is one non-obvious subtlety: Babel 7's.babelrcis file-relative, it only applies to files within the same package root and is not used when babel processes files in a different package undernode_modules. This means babel would run but apply no transforms, leaving ?. in the output. The fix is to pass presets explicitly in the rule's options alongside configFile: false andbabelrc: false, so babel knows exactly what to do with the file regardless of config file boundaries.References
Supersedes #2705
Testing
Checklist