Skip to content

Update "request" version to avoid security vulnerability #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kyle-apex wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update "request" version to avoid security vulnerability #46

kyle-apex wants to merge 1 commit into from

Conversation

@kyle-apex
Copy link

@kyle-apex kyle-apex commented Nov 28, 2017

Update "request" version to avoid dependency on vulnerable tough-cookie version:

npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

@kyle-apex
Update request version to avoid dependency on a security vulnerable t…
5150f74 
…ough-cookie version: tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
@srl295
Copy link

srl295 commented Oct 1, 2018

ws also needs an update https://nodesecurity.io/advisories/550

@adrukh
Copy link

adrukh commented Dec 25, 2018

Folks I'm asking to re-ignite this issue as the vulnerabilities introduced by this dependency are piling up... see https://snyk.io/test/npm/cf-client

Disclaimer 1 - I work for @snyksec
Disclaimer 2 - our CF integration relies on this package and I really want it to be vuln-free

Can I suggest a naive change that will allow the client to track updates in its dependencies like so:

  "dependencies": {
    "bluebird": "^3.0.6",
    "protobufjs": "^5.0.1",
    "request": "^2.81.0",
    "restler": "^3.4.0",
    "ws": "^1.1.1"
  }

This will remove 9 out of the 10 vulnerabilities that currently exist in this package via its dependencies.

I acknowledge the fact this package is seeing very little traction over the past 2 years, but really hope that security considerations will be sufficient to make one more release 🙏

@srl295
Copy link

srl295 commented Dec 26, 2018 via email

@adrukh adrukh mentioned this pull request Dec 26, 2018
Merged
@adrukh
Copy link

adrukh commented Dec 26, 2018

Ready with #49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@srl295 srl295 srl295 approved these changes

@jungleBadger jungleBadger jungleBadger approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kyle-apex @srl295 @adrukh @jungleBadger