Bump com.nimbusds.oauth2-oidc-sdk from 11.9.1 to 11.18

[crimsonvspurple]

Vulnerabilities from dependencies:
CVE-2024-34447
CVE-2024-30172
CVE-2024-30171
CVE-2024-29857

[bgavrilMS]

@Avery-Dunn - why do we need this dependency? Is it to create the client assertion from a certificate for confidential client flows? Maybe in the long run it's better to just have MSAL do that from scratch? It's just a json string + signature.

[crimsonvspurple]

Fully agree with you, remove if possible.

I could not find any PR for this. Shouldn't dependabot open PR for these automatically?

[bgavrilMS]

Fully agree with you, remove if possible.

I could not find any PR for this. Shouldn't dependabot open PR for these automatically?

Yes, I am not sure why Dependabot didn't alert us. The security tab doesn't show these.

[Avery-Dunn]

@bgavrilMS : We use it several places for standard OIDC stuff about tokens, credentials, authorization grants, etc. We could probably remove it, but it would be quite a few code changes. Seems like we have to update this dependency at least once a year, so maybe removing it is worth the effort.

As for why dependabot didn't create a PR for us: the vulnerability is in an optional dependency of oauth2-oidc-sdk, and my best guess is that we don't use the part of oauth2-oidc-sdk that's vulnerable:

• The dependency with the vulnerability is this 'bcprov-jdk18on' package: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on
• In the dependency list for oauth2-oidc-sdk you can see that it's 'optional': https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/11.9.1
• We might not use the features that require that optional dependency so it's not considered part of msal4j's dependency tree, which is why our package isn't also listed as vulnerable: https://mvnrepository.com/artifact/com.microsoft.azure/msal4j/1.17.0

Regardless, thanks for letting us know @crimsonvspurple !