Open trivikr opened 3 days ago
RafaelGSS
commented
3 days ago undici is an official Node.js dependency. I don't see why changing it to node:https will change things. If undici is vulnerable, Node.js is vulnerable (also npx). A different and more reasonable solution would be that we won't need to download a module making npx is-my-node-vulnerable fast, but it possible uses cache.
trivikr
commented
3 days ago The feature request, and the discussion on Twitter, is not about the vulnerabilities the Node.js version being tested - but the ones used by is-my-node-vulnerable module.
RafaelGSS
commented
3 days ago Yes, I understand. However, I'm still not convinced that removing undici in favor of node:https will enhance security. Upgrading undici might be a better option.
trivikr
commented
2 days ago Yes, I understand. But upgrading undici, or any other dependencies, may conflict with the minimum Node.js version which is-my-node-vulnerable aims to support.
Ideally, this module should support some EOL Node.js versions, as it's aimed to inform users whether their Node.js version is vulnerable. But it's dependencies may (and likely) drop support for EOL Node.js versions sooner.
There's no package.json engines field for this module, and I couldn't find minimum supported Node.js version in README. As per https://github.com/RafaelGSS/is-my-node-vulnerable/pull/6#issuecomment-1406824777, I think this module aims to support Node.js 12+. Undici 6.x supoports Node.js 18+, for example https://github.com/nodejs/undici/blob/e218fc61eda46da8784e0cedcaa88cd7e84dee99/package.json#L137-L139
Is your feature request related to a problem? Please describe.
Since
is-my-node-vulnerableis officially recommended by Node.js, it would be better to have as less dependencies as possible.Describe the solution you'd like
Use native options of dependencies when available
Additional context
Discussion on Twitter https://x.com/styfle/status/1847469788236255562