search

slanatech / swagger-stats

API Observability. Trace API calls and Monitor API performance, health and usage statistics in Node.js Microservices.
https://swaggerstats.io/
MIT License
891 stars 136 forks source link

Replace deprecated dependency on request #148

Closed leedm777 closed 1 year ago

leedm777 commented 2 years ago

The Request.js library has been deprecated (see https://github.com/request/request/issues/3142), and is actively pushing folks to use other libraries (see https://github.com/request/request/issues/3143).

There's currently a security vulnerability via request's dependencies, making it even more important to move to a more supported library.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-stats                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-stats > request > http-signature > jsprim >          │
│               │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
steven-sheehy commented 1 year ago

@sv2 Even with the recent dependency bumps in 0.99.4 this outdated version of request dependency causes security checks to fail due to the vulnerable qs it brings in transitively. We can do npm up to fix but then Dependabot wipes that package-lock.json out. Any considerations to replacing the deprecated request? This is blocking our CI from passing and we'll have to spend effort figuring out workarounds.

sv2 commented 1 year ago

Yes, we'll replace request shortly

sv2 commented 1 year ago

Request has been replaced with Axios - v0.99.5