search

altostra / altostra-cli-login-auth0

A library that abstracts and automates the process of logging in with Auth0 from CLI
https://medium.com/altostra/cli-authentication-with-auth0-7c9899628a44
MIT License
19 stars 5 forks source link

2 vulnerabilities in request > tough-cookie dependency #7

Open quipo opened 1 year ago

quipo commented 1 year ago

% yarn audit

yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ tough-cookie Prototype Pollution vulnerability               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @altostra/cli-login-auth0                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @altostra/cli-login-auth0 > request > tough-cookie           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092470                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Server-Side Request Forgery in Request                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ request                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @altostra/cli-login-auth0                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @altostra/cli-login-auth0 > request                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092972                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
quipo commented 1 year ago

incidentally request has been deprecated as of Feb 11th 2020, see https://github.com/request/request/issues/3142

jmanno01 commented 1 year ago

Hi, hope you are doing wee

request module is been used by kubernetes/client-node and as mentioned in the doc it was changed to fetched, but is seems weird that I still see in the package-lock.json

image image

even though I do npm uninstall @kubernetes/client-node/request I still have it in the project

Question:

1- How do I remove request from kubernetes/client-node so it can only use node-fetch ? 2- What is the alternative?