Security Issue with request 2.88 in @looker/sdk and @looker/sdk-rtl

[RobinShift4]

I have a project using @looker/sdk as a dependency and when I run:

yarn run audit

I get

Severity: MODERATE Modules: @looker/sdk-rtl>request, @looker/filter-components>@looker/sdk-rtl>request, @looker/filter-components>@looker/sdk>@looker/sdk-rtl>request, @looker/filter-components>@looker/filter-expressions>@looker/sdk>@looker/sdk-rtl>request URL: https://github.com/advisories/GHSA-p8p7-x288-28g6

four times. I see that @looker/sdk and @looker/sdk-rtl are using

request "^2.88.0"

which has this security issue. Are there plans to upgrade?

[mnahkies]

request has been deprecated for years at this point - it really needs replacing IMO https://github.com/request/request/issues/3142

[xiel]

I case someone needs a quick fix for this issue, the cypress team maintains a fork with a fix.

You can get it into your project by using npm overrides in package.json

"overrides": {
  "request": "npm:@cypress/request@^3.0.0"
},

[smartin88]

@xiel thanks for the solution! This works fine for me when I run my project locally, however as soon as it runs in a Docker container, it fails:

Cannot find module 'request' Required stack: -/app/server/node_modules/@looker/sdk-node/lib/nodeTransport.js

Really struggling to find a way to fix this, do you have any ideas?

[xiel]

@smartin88 That difference between local and docker is weird. Which package manager do you use? How are the node_modules installed into the docker container? Do you install from inside the docker container or copy the modules from outside in? I am wondering if it might be related to symlinks...

Bit hard to debug from the outside...

[smartin88]

Hey @xiel, we use pnpm as our package manager, and the modules are compiled and then copied from outside into the Docker container. Thanks for the thoughts regarding symlinks...appreciate this is hard to debug from outside, I will look at that as a possible issue