jwjohns
commented
8 years ago +1
Closed jvincilione closed 8 years ago
jwjohns
commented
8 years ago +1
rmg
commented
8 years ago @stevepeak any chance you could publish 0.1.7 so the fix in 2ff00c5 is live?
stevepeak
commented
8 years ago @rmg we are phasing out this package in favor of https://github.com/codecov/codecov-node can you give that package a shot? Thanks
rmg
commented
8 years ago @stevepeak I looked at the situation before making the request. I'm not using this module directly; my main goal was to fix the deeply nested dependency on an ancient version of request that depends on an even more ancient version of hawk.. Just like the issue says. Currently this chain shows up as an insecure dependency on bithound.io for anyone who happens to use tap for their tests.
Possibly a more useful reason to publish would be to get the deprecation warning in the README published to the package page on npmjs.com :-)
There is a security flaw in hawk 1.1.1 (2.5 year old version), which is used by request@2.42.0 (1.5 year old version), which is a dependency of codecov.io.
The current release of request is 2.69.1, updating shouldn't break anything, and that version of request uses hawk 3.1.0, while still not the most recent version, it's the last minor version of hawk v3.