search

cronofy / cronofy-node

Node wrapper for the Cronofy API
https://docs.cronofy.com/developers
MIT License
49 stars 23 forks source link

Prototype Pollution from request@2.88.2 #84

Closed trmpowell closed 1 year ago

trmpowell commented 3 years ago

Running snyk test on an application using cronofy@3.5.1 reports a high severity vulnerability:

✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-AJV-584908] in ajv@6.12.2
    introduced by cronofy@3.5.1 > request@2.88.2 > har-validator@5.1.3 > ajv@6.12.2 and 2 other path(s)
  This issue was fixed in versions: 6.12.3

As request package is deprecated and no longer receiving updates, the best option is to replace request with another library that does not include vulnerabilities.

gl-aagostino commented 2 years ago

Hey, I made a PR with axios https://github.com/cronofy/cronofy-node/pull/90

CronofyMatt commented 1 year ago

Hi and thank you for taking the time to open this issue, and apologies for the delay in getting back.

I can see that this issue has now been resolved by merging #90 - again a thank you to @gl-aagostino for providing this pull request.

Due to the age of this issue I am going to close it for now, however if you are still having problems please either re-open the ticket, create a new issue, or contact us at support@cronofy.com where our support and engineering teams can help you out.

We will be updating our monitoring of issues being opened on repos to make sure we don’t let issues stagnate in future. We put a lot of time and effort into the quality of our products and this falls below the standards of support and care we offer elsewhere.