passport-oauth2 v1.6.1

[jaredhanson]

A pull request raised concerns over a potential scenario which would allow improper authentication when using passport-oauth2 (and strategies based on passport-oauth2). Since security of Passport and related packages is of highest priority, an assessment has been performed and details have been published.

To briefly summarize, I don't believe the report constitutes a legitimate security vulnerability, and there is no evidence exploits.

That being said, the modifications suggested by the pull request add additional safeguards as part of a defense in depth approach. These safeguards are available in passport-oauth2@1.6.1.