Updating vulnerable koa version in oidc-provider version 7.14.3

[7mllm7]

Context

1. oidc-provider's recent 7.x version (7.14.3) depends on koa version 2.13.4 (package-lock.json).
2. Earlier this year a critical vulnerability was found in koa version <=2.15.3.
3. Since there were no more updates to version 7.x, users of this package who want to fix this vulnerability are obliged to update a major version (i.e. >=8.x).
4. As a highly critical and security-sensitive package, updating it might be a difficult / complex task, which requires a lot of testing, risking bugs in production.

Proposal

I propose to create another backwards-maintained version - 7.14.4 - which only updates koa to the non-vulnerable version 2.15.14, or even version 2.16.2 (which is the latest 2.x version).
From my testing, such update of dependency works smoothly, with no other changes.

If the maintainers agree, I have a PR ready to submit.

Would love to hear what you think.

Thanks!

[panva]

oidc-provider's recent 7.x version (7.14.3) depends on koa version 2.13.4 (package-lock.json).

package-lock is not published to npm, your install will not use 2.13.4 just because it's in this repo's package-lock in a historical commit.

Since there were no more updates to version 7.x, users of this package who want to fix this vulnerability are obliged to update a major version (i.e. >=8.x).

1. v7.x is out of support
2. you should look into just using npm and updating your dependency tree, i.e. your own package-lock with npm update

I propose to create another backwards-maintained version - 7.14.4 - which only updates koa to the non-vulnerable version 2.15.14, or even version 2.16.2 (which is the latest 2.x version).

There's no need for any of this, a fresh install or npm upgrade always uses the latest semver matching version. I.e. ^2.13.4 which resolves to 2.16.2 today.