Open caizixian opened 2 years ago
Made PR for this issue https://github.com/request/request/pull/3395
We are facing same issue with request. Can someone please let us know the ETA when this PR is going to be merged?
Same here. Do you know when this PR will be merged? Thanks in advance!
@mikeal as stated here https://github.com/request/request/issues/3142
Maintenance Mode
The committers that are still active will try to merge fixes in a timely fashion, no promises though.
Yes, "timely fashion, no promises though", but PLEASE take these security issues seriously or mark this project completely deprecated and unmaintained so that developers start to migrate away from request.
I understood that this project has all required features so there is "nothing to do", except maintenance. So, unless no one is actually doing active maintenance, please deprecate whole library. In my project migrating from away from request for example axios would take about 2-3 weeks to get all changes done and tests pass.
Yes, "timely fashion, no promises though", but PLEASE take these security issues seriously or mark this project completely deprecated and unmaintained so that developers start to migrate away from request.
From README:
As of Feb 11th 2020, request is fully deprecated. No new changes are expected to land. In fact, none have landed for some time.
And big header "Deprecated!" on top of that. README is warning about this from very beginning.
@hahyes yep, but the issue where that Deprecation message refers is this https://github.com/request/request/issues/3142 and it says The most valuable thing request can do for the JavaScript ecosystem is to go into maintenance mode and stop considering new features or major releases.
So, for me that means that project is in maintenance mode and in many cases that means that security issues are dealt, but no new features are added. Sometimes even major bugs are fixed.
Thankfully there was a backport in jsprim@1.4.2
which is compatible with http-signature@1.2.0
and therefore this can be resolved without any action in request:
└─┬ request@2.88.2
└─┬ http-signature@1.2.0
└─┬ jsprim@1.4.2
└── json-schema@0.4.0
to mitigate it in your project simply run the following commands (as long as jsprim is not a main dependency of your project)
npm install --save jsprim@1.4.2
npm ddp
npm uninstall --save jsprim
npm ls json-schema
Thankfully there was a backport in
jsprim@1.4.2
which is compatible withhttp-signature@1.2.0
and therefore this can be resolved without any action in request:└─┬ request@2.88.2 └─┬ http-signature@1.2.0 └─┬ jsprim@1.4.2 └── json-schema@0.4.0
to mitigate it in your project simply run the following commands (as long as jsprim is not a main dependency of your project)
npm install --save jsprim@1.4.2 npm ddp npm uninstall --save jsprim npm ls json-schema
i did something similar on http-signature, it installs fixed version of json-schema but the CVE scan tools still complains about the old version, it still bothers event it s false positive.
Summary
request has a transitive security vulnerability via http-signature https://github.com/advisories/GHSA-896r-f27r-55mw
Simplest Example to Reproduce
Expected Behavior
request depends on http-signature with the security fix, i.e.
~1.3.6
https://github.com/joyent/node-http-signature/pull/125Current Behavior
request 2.88.2 depends on the vulnerable http-signature 1.2.0
Possible Solution
Bump dependency version
Context
parcel 2.0.1 transitively depends on request
Your Environment