Closed gdelory closed 1 year ago
antusus
commented
1 year ago Hello @gdelory,
sorry about this. Team is working hard on this generated SDK. We will investigate if we can upgrade this dependency, however I cannot tell you what is the timeline of getting this solved. (SDK-3326)
congminh1254
commented
1 year ago Hi @gdelory,
As we don't have much effort to replacing request with any other library, but we overrides the tough-cookie with higher version which not affected by the security issue. We hope that it will be acceptable for you until the new Typescript SDK has the stable release.
Regards, Minh
MaPDores
commented
1 year ago Hi @congminh1254,
Do you have any schedule for when this fix is going to be released?
congminh1254
commented
11 months ago Hi @MaPDores
Sorry for late response, we have just released the version 3.3.0 which fixed this issue.
Please check it.
Best, Minh
Is your feature request related to a problem? Please describe.
Latest box sdk introduces a critical security vulnerability (CVE-2023-26136) because it still uses requests, which is deprecated for a long time now.
Describe the solution you'd like
I've seen this issue, which has simply been closed although nothing was done. It states that a new version of the SDK in Typescript should be released in July/August, we are now in September and it is still not out. 3 months for a critical security vulnerability is an eternity.
I know this issue states that it's available as
box-typescript-sdk-gen, but it's still a beta and:Describe alternatives you've considered
Forcing the version of touch-cookie with an override clause, but version 4 of tough-cookie as breaking changes, so I'm scared it would break requests. To be honest with requests being deprecated, it should just be replaced anyway.
There is also this issue where someone proposed a replacement for request.
Finally, this issue mention
Additional context