[@shopify/koa-shopify-auth] Cross-site scripting in koa-shopify-auth

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-8176
• https://github.com/Shopify/quilt/pull/1455
• https://hackerone.com/reports/881409
• https://github.com/advisories/GHSA-jqh7-w5pr-cr56