Open aqan213 opened 3 years ago
Thanks for this. The solution would be to update our depenceny to a version of node-gyp
that doesn't require a version of request
. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request
at a level of ^2.88.2
. Can you tell me if that version of request
still has that vulnerability please?
Acording to https://github.com/request/request/issues/2640 it looks like all versions of request
are vulnerable. Solution is therefore to get node-gyp
to move away from request
. It looks like they already have an issue open for that, https://github.com/nodejs/node-gyp/issues/2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.
Thanks for the response. How about the other 2 versions request from other 2 package?
"request": "^2.72.0"
-->"ibmapm-restclient"
--> "ibmapm-embed"
--> "appmetrics"
and
"request": "^2.83.0"
--> kubernetes-client"
--> "ibmapm-restclient"
--> "ibmapm-embed"
--> "appmetrics"
Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client
Hi @mattcolegate , it seems like https://github.com/nodejs/node-gyp/pull/2220 solved issue https://github.com/nodejs/node-gyp/issues/2047 migrating requests to fetch. When do you plan to use the nodejs version containing the fix ?
Hi @donacarr, looks like this is going into node-gyp v8.0.0 https://github.com/nodejs/node-gyp/pull/2346 - when that version releases we can start looking to pull it into appmetrics
Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that
The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and request 2.88.0 is a dependency of node-gyp 5.1.1 which is the dependency of appmetrics.
Here is the hierarchy of the "request" module tracking back to bluemix-autoscaling-agent.
Three instances:
Can you please take a look?