Open trivikr opened 3 days ago
undici is an official Node.js dependency. I don't see why changing it to node:https
will change things. If undici
is vulnerable, Node.js is vulnerable (also npx). A different and more reasonable solution would be that we won't need to download a module making npx is-my-node-vulnerable
fast, but it possible uses cache.
The feature request, and the discussion on Twitter, is not about the vulnerabilities the Node.js version being tested - but the ones used by is-my-node-vulnerable
module.
Yes, I understand. However, I'm still not convinced that removing undici
in favor of node:https
will enhance security. Upgrading undici
might be a better option.
Yes, I understand. But upgrading undici, or any other dependencies, may conflict with the minimum Node.js version which is-my-node-vulnerable
aims to support.
Ideally, this module should support some EOL Node.js versions, as it's aimed to inform users whether their Node.js version is vulnerable. But it's dependencies may (and likely) drop support for EOL Node.js versions sooner.
There's no package.json engines field for this module, and I couldn't find minimum supported Node.js version in README. As per https://github.com/RafaelGSS/is-my-node-vulnerable/pull/6#issuecomment-1406824777, I think this module aims to support Node.js 12+. Undici 6.x supoports Node.js 18+, for example https://github.com/nodejs/undici/blob/e218fc61eda46da8784e0cedcaa88cd7e84dee99/package.json#L137-L139
Is your feature request related to a problem? Please describe.
Since
is-my-node-vulnerable
is officially recommended by Node.js, it would be better to have as less dependencies as possible.Describe the solution you'd like
Use native options of dependencies when available
Additional context
Discussion on Twitter https://x.com/styfle/status/1847469788236255562