Closed genlyken closed 1 year ago
thanks for raising this issue. since request package is no longer active, we will consider to replace the request package with alternative solutions.
@stcheng Thanks for the update! This is the only project not passing the vulnerability checks and our clients are concerned about this. We'd love to keep using this package. Is there a timeline on making this change?
@genlyken, thank you for providing this feedback. Although we don't currently have a concrete timeline on this topic, I'll assess how extensive the change would be to replace the 'request' package with alternatives, and I'll escalate this issue to prioritize it. I'll keep this thread updated.
@stcheng Thanks I appreciate your quick reply! I was digging further and it doesn't look like request is being used at all. I pulled it down locally and removed the dependency and all my tests passed. Perhaps we can just remove it from the package.json?
@genlyken oh really! because if that is the case, would you mind create a pull request? I would be glad to help review it and facilitate the progress.
@stcheng I thought I already did the CLA thing, but I'm getting 403 when I push. I was hoping maybe you can make the change as it should just be a one line delete in the package.json
@genlyken Sounds good. If no other issues I'll have it done by today.
@genlyken this issue seems not that straightforward. the request package is required by request-promise which is used in http.js file(https://github.com/facebook/facebook-nodejs-business-sdk/blob/main/src/http.js#L12). Thus, some code changes are required to deprecate both request and request-promise. I'll do some further investigation here.
@stcheng i submitted a PR (https://github.com/facebook/facebook-nodejs-business-sdk/pull/257), but I haven't figured out the CLA yet. I'm using axios and I tested this code by creating a campaign, adset and ad and uploaded a video, but there's plenty of FB code that I'm not familiar with and haven't tested. I'd love if you can take a look!
@genlyken saw the PR. thank you! let me know if you're able to complete CLA or not.
@stcheng I think there's an issue with my CLA where i mixed up my github accounts. Paul from meta messaged me, but I think it takes a while to clean this up.
@genlyken any luck getting the CLA? if not, do you want me to get it addressed on behalf of you?
@stcheng I haven't had any change in status on the CLA. I'd appreciate any steps moving forward!
closing in favor of a2d64d93485f353ad6a3e78709c7d7fc858dcbc2
Which SDK version are you using?
16.0.2
What's the issue?
Given a new requirement to run snyk on our projects, since the current package uses request@2.88.2, I'm seeing:
Issues with no direct upgrade or patch: ✗ Server-side Request Forgery (SSRF) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831] in request@2.88.2 introduced by facebook-nodejs-business-sdk@16.0.2 > request@2.88.2 and 1 other path(s) No upgrade or patch available
Steps/Sample code to reproduce the issue
Observed Results:
Issue as shown above.
Expected Results:
✔ Tested XX dependencies for known issues, no vulnerable paths found.