Skip to content

chore(deps): update dependency @rockcarver/frodo-lib to v2.0.0 (main) #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mend-for-github-com wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @rockcarver/frodo-lib to v2.0.0 (main) #397

mend-for-github-com wants to merge 1 commit into from

Conversation

@mend-for-github-com
Copy link

@mend-for-github-com mend-for-github-com bot commented Sep 18, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
@rockcarver/frodo-lib dependencies patch 2.0.0-71 -> 2.0.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability
High High 8.6 CVE-2025-12816
High High 7.5 CVE-2024-45296
High High 7.5 CVE-2024-45590
High High 7.5 CVE-2024-52798
High High 7.5 CVE-2025-27152
High High 7.5 CVE-2025-66031
Medium Medium 6.5 CVE-2023-45857
Medium Medium 6.2 CVE-2025-27789
Medium Medium 6.1 CVE-2024-29041
Medium Medium 5.3 CVE-2024-47764
Medium Medium 5.3 CVE-2025-66030
Medium Medium 5.0 CVE-2024-43796
Medium Medium 5.0 CVE-2024-43799
Medium Medium 5.0 CVE-2024-43800
Low Low 3.4 CVE-2025-7339

Release Notes

rockcarver/frodo-lib (@​rockcarver/frodo-lib)

v2.0.0

Compare Source

Changed
Multi-Instantiability

2.x introduces breaking changes to support multiple instances of the library to run concurrently and connect to multiple different Ping Identity Platform instances at the same time. 1.x operates using a global singleton, making it impossible to connect to more than one platform instance at a time.

New Library Structure

Removing the singleton pattern and introducing multi-instantiability forced a radical redesign of the core library functions while striving to maintain the basic usage pattern. The library is now exposing two main types describing its modules (Frodo) and state (State). Each module in turn exports all its collection of functions as a type as well. Exposing the library structure as types enables auto-completion for both JS and TS developers with properly configured IDEs like Visual Studio Code or other and also serves as an abstraction layer between what the library exposes vs what and how it's implemented.

New FrodoError Class

All the errors thrown by the library are of the class FrodoError, introduced in 2.x. The new error class addresses the following challenges of earlier library versions:

  • Allows applications using the library to determine if the error originated in the library or is an unexpected and unhandled error from deeper down the stack.

  • Nesting of errors:

    When the library throws because it caught an error thrown deeper down the stack, it wraps the caught Error in a FrodoError.

  • Nesting of arrays of errors

    The library supports many operation that require a number of actions to occur in a row or in parallel. Often these operations are REST API calls and any of those calls may fail for any reason. To preserve status of every operation, FrodoError can also wrap an array of errors, each of which may be another instance of FrodoError wrapping an individual or an array of errors.

  • Provides a stack-like combined error message concatenating the messages of all wrapped errors and nested errors.

  • Includes standardized fields to surface network errors in case the Error on top of the stack is an AxiosError.

  • The new printError function recognizes FrodoError and prints a uniformly formatted expression of the error including an interpretation of the fields for network stack errors.

New Modules

The following modules have been updated and/or added since 1.x:

Module Since Capabilities
frodo.admin 1.0.0 Library of common and complex admin tasks.
frodo.agent 1.0.0 Manage web, java, and gateway agents.
frodo.app 2.0.0 Manage platform applications and dependencies.
frodo.authn.journey 1.0.0 Manage authentication journeys.
frodo.authn.node 1.0.0 Manage authentication nodes.
frodo.authn.settings 2.0.0 Manage realm-wide authentication settings.
frodo.authz.policy 1.0.0 Manage authorization policies and dependencies.
frodo.authz.policySet 1.0.0 Manage policy sets and dependencies.
frodo.authz.resourceType 1.0.0 Manage resource types and dependencies.
frodo.cache 2.0.0 Token cache management exposed through the library but primarily used internally.
frodo.cloud.adminFed 1.0.0 Manage PingOne Advanced Identity Cloud admin federation.
frodo.cloud.feature 1.0.0 Obtain info on PingOne Advanced Identity Cloud features.
frodo.cloud.log 1.0.0 Access PingOne Advanced Identity Cloud debug and audit logs.
frodo.cloud.secret 1.0.0 Mange secrets in PingOne Advanced Identity Cloud.
frodo.cloud.serviceAccount 1.0.0 Manage service accounts in PingOne Advanced Identity Cloud.
frodo.cloud.startup 1.0.0 Apply changes to secrets and variables and restart services in PingOne Advanced Identity Cloud.
frodo.cloud.variable 1.0.0 Manage variables in PingOne Advanced Identity Cloud.
frodo.conn 1.0.0 Manage connection profiles.
frodo.config 2.0.0 Manage the whole platform configuration.
frodo.email.template 1.0.0 Manage email templates (IDM).
frodo.idm.config 2.0.0 Manage any IDM configuration object.
frodo.idm.connector 2.0.0 Manage IDM connector configuration.
frodo.idm.managed 1.0.0 Manage IDM managed object schema (managed.json).
frodo.idm.mapping 2.0.0 Manage IDM mappings (sync.json).
frodo.idm.organization 1.0.0 Limited Org Model management exposed through the library but primarily used internally.
frodo.idm.recon 2.0.0 Read, start, cancel IDM recons.
frodo.idm.system 2.0.0 Manage data in connected systems.
frodo.info 1.0.0 Obtain information about the connected instance and authenticated identity.
frodo.login 1.0.0 Authenticate and obtain necessary tokens.
frodo.oauth2oidc.client 1.0.0 Manage OAuth 2.0 clients.
frodo.oauth2oidc.endpoint 2.0.0 Limited OAuth 2.0 grant flows exposed through the library but primarily used internally.
frodo.oauth2oidc.external 1.0.0 Manage external OAuth 2.0/OIDC 1.0 (social) identity providers.
frodo.oauth2oidc.issuer 2.0.0 Manage trusted OAuth 2.0 JWT issuers.
frodo.oauth2oidc.provider 1.0.0 Manage the realm OAuth 2.0 provider.
frodo.realm 1.0.0 Manage realms.
frodo.saml.circlesOfTrust 1.0.0 Manage SAML 2.0 circles of trust.
frodo.saml.entityProvider 1.0.0 Manage SAML 2.0 entity providers.
frodo.script 1.0.0 Manage access management scripts.
frodo.service 1.0.0 Manage access management services.
frodo.session 2.0.0 Limited session management exposed through the library but primarily used internally.
frodo.state 1.0.0 Manage library state.
frodo.theme 1.0.0 Manage platform themes (hosted pages).
frodo.utils.constants 1.0.0 Access relevant library constants.
frodo.utils.jose 1.0.0 Jose utility functions exposed through the library but primarily used internally.
frodo.utils.json 1.0.0 JSON utility functions exposed through the library but primarily used internally.
frodo.utils.version 1.0.0 Utility functions to obtain current library version and available released versions.
Secure Token Caching

The 2.x version of the library uses a secure token cache, which is active by default. The cache makes it so that when the frodo.login.getTokens() method is called, available tokens are updated in state from cache and if none are available, they are obtained from the instance configured in state. The cache is tokenized and encrypted on disk, so it persists across library instantiations. You can disable the cache by either setting the FRODO_NO_CACHE environment variable or by calling state.setUseTokenCache(false) from your application.
You can change the default location of the cache file (~/.frodo/TokenCache.json) by either setting the FRODO_TOKEN_CACHE_PATH environment variable or by calling state.setTokenCachePath('/path/to/cache.json').

Automatic Token Refresh

The 2.x version of the library automatically refreshes session and access tokens before they expire. Combined with the new token cache, the library will maintain a set of valid tokens in state at all times until it is shut down. If you do not want to automatically refresh tokens, set the autoRefresh parameter (2nd param) of your frodo.login.getTokens() call to false.

Node.js Versions
  • Dropped support for Node.js 14 and 16.
  • Kept supporting Node.js 18.
  • Added support for Node.js 20 and 22.
Node.js frodo-lib 1.x frodo-lib 2.x frodo-lib 3.x
14
16
18
20
22
24
Considerations
Platform Passwords And Secrets

Platform passwords and secrets are configuration values that are stored encrypted as part of platform configuration. Examples are oauth2 client secrets or service account passwords.

Frodo generally doesn't export platform passwords and secrets. The platform supports configuration placeholders and environment secrets and variables allowing administrators to separate the functional configuration from sensitive secrets and variable configuration values. frodo assumes administrators take full advantage of these capabilities so that there is no need or expectation that exports include passwords and secrets. However, where the APIs support it, administrators can seed import data with raw secrets and frodo will import them.

Advanced Identity Cloud Environment Secrets And Variables (ESVs)

Frodo supports exporting and importing of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo always encrypts values using either encryption keys from the source environment (default) or the target environment. Frodo never exports secrets in the clear.

v2.0.0-96

Compare Source

v2.0.0-95

Compare Source

v2.0.0-94

Compare Source

v2.0.0-93

Compare Source

v2.0.0-92

Compare Source

Added
Fixed
  • rockcarver/frodo-cli#400: Frodo now properly honors the allowInsecureConnection state option and allows connecting to platform instances using self-signed certificates.

v2.0.0-91

Compare Source

v2.0.0-90

Compare Source

v2.0.0-89

Compare Source

Added
  • Frodo now supports exporting (and importing) of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo will always encrypt values using either encryption keys from the source environment (default) or the target environment (export option). Frodo will never export secrets in the clear. However, frodo supports importing clear values (as well as importing encrypted values).
  • #​387: Support import of ESVs (variables and secrets)
  • #​394: Support for base64aes encoding for ESV secrets

v2.0.0-88

Compare Source

Changed
  • Pipeline hygene

v2.0.0-87

Compare Source

Changed
  • #​417: Added support for node 22
  • #​363: Updated information in README

v2.0.0-86

Compare Source

Changed
  • #​402: Library scripts are now treated as dependencies during script and journey exports and imports.

v2.0.0-85

Compare Source

Changed
  • Updated dependencies
  • Updated examples

v2.0.0-84

Compare Source

Changed
  • Updated dependencies, in particular axios
  • Pipeline changes

v2.0.0-83

Compare Source

Fixed
  • #​409: Importing applications does not import required mappings

v2.0.0-82

Compare Source

v2.0.0-81

Compare Source

v2.0.0-80

Compare Source

v2.0.0-79

Compare Source

v2.0.0-78

Compare Source

v2.0.0-77

Compare Source

Fixed
  • Improved filtering out secrets from recordings

v2.0.0-76

Compare Source

Fixed
  • #​392: Implemented error handling pattern for methods with unusual amounts of REST calls like frodo.config.exportFullConfiguration and frodo.config.importFullConfiguration

v2.0.0-75

Compare Source

Fixed
  • #​397: Service accounts now use the proper scopes when created using the frodo conn save command

v2.0.0-74

Compare Source

Fixed
  • #​391: Frodo now creates service accounts with all allowed scopes:
    • fr:am:*
    • fr:idc:analytics:*
    • fr:autoaccess:*
    • fr:idc:certificate:*
    • fr:idc:certificate:read
    • fr:idc:content-security-policy:*
    • fr:idc:custom-domain:*
    • fr:idc:esv:*
    • fr:idc:esv:read
    • fr:idc:esv:restart
    • fr:idc:esv:update
    • fr:idm:*
    • fr:iga:*
    • fr:idc:promotion:*
    • fr:idc:release:*
    • fr:idc:sso-cookie:*

v2.0.0-73

Compare Source

Fixed
  • #​393: Frodo now again properly imports oauth2 clients exported from an older AM version without provider overrides.
  • #​390: Frodo now uses its own error type FrodoError for all ops layer errors.

v2.0.0-72

Compare Source

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Sep 18, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/main-rockcarver-frodo-lib-2.x-lockfile branch from abcaa74 to 850c70e Compare October 9, 2025 02:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant