Update request dependency

admc / wd

A node.js client for webdriver/selenium 2.

Other

1.53k stars 402 forks source link

Update request dependency #555

Closed davedoesdev closed 5 years ago

davedoesdev commented 6 years ago

github is moaning about a vuln in cryptiles@3.12, brought in via request.

admc commented 6 years ago

Github has outlined a whole slew of vulnerabilities in outdated package dependencies. Much of this requires pretty significant changes, which will take some free weekends!

On Fri, Sep 14, 2018 at 1:41 PM David Halls notifications@github.com wrote:

github is moaning about a vuln in cryptiles@3.12, brought in via request.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/admc/wd/issues/555, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAUGMNX91TFGk6jqK0rcV-LbeJxW0pBks5ubBRngaJpZM4Wp6x6 .

davedoesdev commented 6 years ago

No problem - library is still working great (thanks)! For non-production use this won't be relevant anyway.

kt3k commented 6 years ago

cryptiles seems required like this way:

  └─┬ wd@1.10.3
    └─┬ request@2.85.0
      └─┬ hawk@6.0.2
        └── cryptiles@3.1.2

request module seems to have dropped hawk dependency lately (ref: https://github.com/request/request/pull/2943 )

If we update request dependency version to 2.87 or above, the above vulnerability warning should disappear.

mattrayner commented 5 years ago

@admc is this something you would accept a PR for? I'm more than happy to have a go

admc commented 5 years ago

@mattrayner absolutely, I really want to update all this stuff, but I simply can't find the time right now! If you are willing to send some PR's over, I will absolutely review, test and merge.

mattrayner commented 5 years ago

@admc Amazing, I'll have a go right now!

NozomiIto commented 5 years ago

Thanks for the nice fix! When will this fix be released? I want to resolve this security problem on my product.

admc commented 5 years ago

Working on it.

NozomiIto commented 5 years ago

Thank you so much!

jonny-improbable commented 5 years ago

Hi @admc, thanks for looking into this issue

I can't see a new version of wd on npm. The latest version of the wd package at the time of this comment is 1.11.1 which was released 2 months ago,

I don't feel that this issue should be closed until a new version (1.11.2) is published to npm. Apologies if I've misunderstood anything.

NozomiIto commented 5 years ago

I think 1.11.1 contains the fix for this problem, and it actually resolved this issue on my environment.

admc commented 5 years ago

@jonny-improbable can you check it out and let me know if your issue is solved?