Closed felix-hcl closed 2 years ago
Closing this issue. Jsprim backported the fix to version 1.4.2 which resolves this issue since it is in the correct semver version range for http-signature@1.2.0
https://github.com/joyent/node-jsprim/releases/tag/v1.4.2
As stated in #123 there was a security vulnerability down the dependency tree.
Unfortunately the well known but already deprecated library
request@2.88.2
depends on"http-signature": "~1.2.0"
. As you might be aware, there are still many (open source) packages out there which have not replaced request with a more up2date http client.I am aware that this is not a long-term solution/fix but I kindly ask if there is any possibility to back-port the jsprim update from #123 / #125 to a version 1.2.1?