search

MadKudu / node-hubspot

Node wrapper for the HubSpot API
MIT License
192 stars 157 forks source link

Transitive security vulnerability via request package #309

Open kasymbayaman opened 3 years ago

kasymbayaman commented 3 years ago

How to reproduce:

Npm audit security report:

Moderate: json-schema is vulnerable to Prototype Pollution
Package: json-schema                                                  
Patched in:   >=0.4.0                                                      
Dependency of:  @hubspot/api-client                                    
Path: @hubspot/api-client > request > http-signature > jsprim > json-schema       
More info: https://github.com/advisories/GHSA-896r-f27r-55mw

Expected Behavior request depends on http-signature with the security fix, i.e. ~1.3.6 joyent/node-http-signature#125

Current Behavior request 2.88.2 depends on the vulnerable http-signature 1.2.0

danielmbarlow commented 1 year ago

There is also the tough-cookie security vulnerability fixed in v4.1.3, whereas request depends on an earlier version.