After installing the packet, npm audit was run and it was found the following:
# npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie
2 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
After investigation, accordingly to this https://github.com/advisories/GHSA-72xf-g2v4-qvf3, the vulnerable code was fixed on version 4.1.3 and from the file package-lock.json this package is using 2.5.0
Can the software be updated to this version to avoid this issue?
I will look on removing the dep as its just used for the auth service, still, the auth service is just used once to create the base config, and its not a public facing server nor used in the module by itself
After installing the packet, npm audit was run and it was found the following:
After investigation, accordingly to this https://github.com/advisories/GHSA-72xf-g2v4-qvf3, the vulnerable code was fixed on version 4.1.3 and from the file package-lock.json this package is using 2.5.0
Can the software be updated to this version to avoid this issue?