The request package used by Node 4.3.0 is depreciated

XeroAPI / xero-node

Xero Node SDK for OAuth 2.0 generated from XeroAPI/Xero-OpenAPI

http://developer.xero.com/

MIT License

192 stars 155 forks source link

The request package used by Node 4.3.0 is depreciated #659

Closed aakashbhatiaaccenture closed 4 months ago

aakashbhatiaaccenture commented 5 months ago

SDK you're using (please complete the following information):

Version [e.g. 4.37.0]

Describe the bug xero-node >=4.0.0-alpha.1 depends on vulnerable versions of request. The request package itself is depreciated.

To Reproduce Steps to reproduce the behavior:

Install xero-node >= 4.0.0 using npm
Run 'npm audit'
See the vulnerability listed

Expected behavior It should not make use of the depreciated package. Instead it could one the following listed packages: https://github.com/request/request/issues/3143

github-actions[bot] commented 5 months ago

PETOSS-381

github-actions[bot] commented 5 months ago

Thanks for raising an issue, a ticket has been created to track your request

AndrewLugg commented 5 months ago

They have known about this for over a year, and not seeming to care. I feel this package is unmaintained. They are updating the xero api endpoints, but not maintaining any security updates.

manishT72 commented 5 months ago

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

aakashbhatiaaccenture commented 5 months ago

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

Thanks very much, really appreciate it

sangeet-joy-tw commented 4 months ago

this issue is fixed in latest version of xero-node.