Transitive security vulnerability via http-signature

[caizixian]

Summary

request has a transitive security vulnerability via http-signature https://github.com/advisories/GHSA-896r-f27r-55mw

Simplest Example to Reproduce

# npm audit report

json-schema  <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw

node_modules/json-schema
  jsprim  0.3.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim
    http-signature  1.0.0 - 1.3.5
    Depends on vulnerable versions of jsprim
    node_modules/http-signature
      request  >=2.66.0
      Depends on vulnerable versions of http-signature

Expected Behavior

request depends on http-signature with the security fix, i.e. ~1.3.6 https://github.com/joyent/node-http-signature/pull/125

Current Behavior

request 2.88.2 depends on the vulnerable http-signature 1.2.0

Possible Solution

Bump dependency version

Context

parcel 2.0.1 transitively depends on request

└─┬ parcel@2.0.1
  └─┬ @parcel/config-default@2.0.1
    └─┬ @parcel/optimizer-htmlnano@2.0.1
      └─┬ htmlnano@1.1.1
        └─┬ uncss@0.17.3
          └─┬ request@2.88.2
            └─┬ http-signature@1.2.0
              └─┬ jsprim@1.4.1
                └── json-schema@0.2.3

Your Environment

software	version
request	2.88.2
node	17.0.1
npm	8.1.0
Operating System	macOS 12.0.1

[mylesgordon]

Made PR for this issue https://github.com/request/request/pull/3395

[khadervali]

3396 It has the same request

[piyushhajare]

We are facing same issue with request. Can someone please let us know the ETA when this PR is going to be merged?

[esteetaniag]

Same here. Do you know when this PR will be merged? Thanks in advance!

[RopoMen]

@mikeal as stated here https://github.com/request/request/issues/3142

Maintenance Mode

The committers that are still active will try to merge fixes in a timely fashion, no promises though.

Yes, "timely fashion, no promises though", but PLEASE take these security issues seriously or mark this project completely deprecated and unmaintained so that developers start to migrate away from request.

I understood that this project has all required features so there is "nothing to do", except maintenance. So, unless no one is actually doing active maintenance, please deprecate whole library. In my project migrating from away from request for example axios would take about 2-3 weeks to get all changes done and tests pass.

[hahyes]

Yes, "timely fashion, no promises though", but PLEASE take these security issues seriously or mark this project completely deprecated and unmaintained so that developers start to migrate away from request.

From README:

As of Feb 11th 2020, request is fully deprecated. No new changes are expected to land. In fact, none have landed for some time.

And big header "Deprecated!" on top of that. README is warning about this from very beginning.

[RopoMen]

@hahyes yep, but the issue where that Deprecation message refers is this https://github.com/request/request/issues/3142 and it says The most valuable thing request can do for the JavaScript ecosystem is to go into maintenance mode and stop considering new features or major releases.

So, for me that means that project is in maintenance mode and in many cases that means that security issues are dealt, but no new features are added. Sometimes even major bugs are fixed.

[felix-hcl]

Thankfully there was a backport in jsprim@1.4.2 which is compatible with http-signature@1.2.0 and therefore this can be resolved without any action in request:

  └─┬ request@2.88.2
    └─┬ http-signature@1.2.0
      └─┬ jsprim@1.4.2
        └── json-schema@0.4.0 

to mitigate it in your project simply run the following commands (as long as jsprim is not a main dependency of your project)

npm install --save jsprim@1.4.2
npm ddp
npm uninstall --save jsprim
npm ls json-schema

[mikailyetkin]

Thankfully there was a backport in jsprim@1.4.2 which is compatible with http-signature@1.2.0 and therefore this can be resolved without any action in request:

  └─┬ request@2.88.2
    └─┬ http-signature@1.2.0
      └─┬ jsprim@1.4.2
        └── json-schema@0.4.0 

to mitigate it in your project simply run the following commands (as long as jsprim is not a main dependency of your project)

npm install --save jsprim@1.4.2
npm ddp
npm uninstall --save jsprim
npm ls json-schema

i did something similar on http-signature, it installs fixed version of json-schema but the CVE scan tools still complains about the old version, it still bothers event it s false positive.