search

TritonDataCenter / node-http-signature

Reference implementation of Joyent's HTTP Signature Scheme
https://tritondatacenter.com
MIT License
405 stars 118 forks source link

Question: Possibility to back-port jsprim update to version 1.2.X #126

Closed felix-hcl closed 2 years ago

felix-hcl commented 2 years ago

As stated in #123 there was a security vulnerability down the dependency tree.

Unfortunately the well known but already deprecated library request@2.88.2 depends on "http-signature": "~1.2.0". As you might be aware, there are still many (open source) packages out there which have not replaced request with a more up2date http client.

I am aware that this is not a long-term solution/fix but I kindly ask if there is any possibility to back-port the jsprim update from #123 / #125 to a version 1.2.1?

felix-hcl commented 2 years ago

Closing this issue. Jsprim backported the fix to version 1.4.2 which resolves this issue since it is in the correct semver version range for http-signature@1.2.0 https://github.com/joyent/node-jsprim/releases/tag/v1.4.2