search

BranchMetrics / cordova-ionic-phonegap-branch-deep-linking-attribution

The Branch Cordova Ionic Phonegap SDK for deep linking and attribution. Branch helps mobile apps grow with deep links / deeplinks that power paid acquisition and re-engagement campaigns, referral programs, content sharing, deep linked emails, smart banners, custom user onboarding, and more.
https://docs.branch.io/apps/cordova-phonegap-ionic/
MIT License
234 stars 144 forks source link

request package critical vulnerability #700

Closed Sujay-shetty closed 2 years ago

Sujay-shetty commented 2 years ago

Hi,

As branch-cordova-sdk using request package and request is deprecated and has many vulnerabilities are getting identified. Also recent vulnerability on json-schema which is used in request is one of the critical vulnerability with high CVE score(9.8).

https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Could you please fix this vulnerability.

Thanks, Sujay

echo-branch commented 2 years ago

Thanks for the heads up. It's not used, but we forgot to remove it from the package.json. Will remove asap.

gdeluna-branch commented 2 years ago

Removed here https://www.npmjs.com/package/branch-cordova-sdk/v/5.0.1 https://github.com/BranchMetrics/cordova-ionic-phonegap-branch-deep-linking-attribution/releases/tag/v5.0.1

Thanks!

Sujay-shetty commented 2 years ago

Hi @gdeluna-branch , @echo-branch,

Thank you for taking quick action on resolving request package issue.

But in pacakge.json you are using shell.js version 0.8.3 which has high vulnerability listed. https://nvd.nist.gov/vuln/detail/CVE-2022-0144

Could you please upgrade shell.js to latest version (0.8.5) where this issue is fixed.

Thanks, Sujay

gdeluna-branch commented 2 years ago

Will address this asap.

gdeluna-branch commented 2 years ago

Patched in 5.0.2

Thanks