search

sematext / logsene-js

Log shipping library for sending logs to Sematext from JavaScript apps
https://sematext.com/cloud
Apache License 2.0
10 stars 9 forks source link

The 'Request' library is deprecated #22

Closed antony closed 1 year ago

antony commented 3 years ago

See https://github.com/request/request and https://github.com/request/request/issues/3142

This library should probably be using node-fetch

otisg commented 3 years ago

Thanks, @antony. Any chance you could submit a PR?

antony commented 3 years ago

@otisg I might be able to yeah - will do as soon as I'm able to.

gsf4726 commented 1 year ago

This is now more critical as a vulnerability (CVE-2023-28155) was published recently, so it's now tripping npm audit.

gsf4726 commented 1 year ago

@otisg is it on Sematext's roadmap to fix the CVE-2023-28155 vulnerability in this module?

otisg commented 1 year ago

@gsf4726 Not planned currently, unless we get a PR. Don't think this module has (m)any users.

antony commented 1 year ago

https://www.npmjs.com/package/logsene-js

3064 weekly downloads, and a critical security vulnerability?

not sure I agree here.

I'd love to submit a PR but I too am pressed for time so haven't managed to yet.

otisg commented 1 year ago

@antony Oh I don't believe those stats. I suspect 99% of those npm stats numbers are from bots/automated downloads/updates.

antony commented 1 year ago

automated downloads/updates meaning CI? that's usage. I'm not sure what bots download npm dependencies, otherwise. I certainly haven't seen any evidence of that. I would say that the library has a reasonable amount of usage.

yelworc commented 1 year ago

@gsf4726 Not planned currently, unless we get a PR. Don't think this module has (m)any users.

Hmm, that sounds vaguely concerning. Is this not the recommended package for shipping logs to Logsene in a Node.js app? The name kinda sounds like it is 😆

I'm definitely using this package in a production API – if it isn't actually being maintained, I need to look for alternatives. That's fine, but it should be clearly and visibly communicated (eg. by archiving the repo, deprecating the npm package, etc).

otisg commented 1 year ago

Ugh, sorry folks, my mistake - I was thinking about https://github.com/sematext/logsene-cli So, yes, we will address this CVE issue.

regiluze commented 1 year ago

@antony @yelworc we've just released a new version of the library removing all vulnerabilities. https://github.com/sematext/logsene-js/releases/tag/1.1.76

yelworc commented 1 year ago

Thank you, much appreciated!