Closed yukha-dw closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub āļø
š No new dependency issues detected in pull request
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
Issue | Status |
---|---|
Install scripts | ā 0 issues |
Native code | ā 0 issues |
Bin script shell injection | ā 0 issues |
Unresolved require | ā 0 issues |
Invalid package.json | ā 0 issues |
HTTP dependency | ā 0 issues |
Git dependency | ā 0 issues |
Potential typo squat | ā 0 issues |
Known Malware | ā 0 issues |
Telemetry | ā 0 issues |
Protestware/Troll package | ā 0 issues |
š Modified Dependency Overview:
ā Added Package | Capability Access | +/- Transitive Count |
Publisher |
---|---|---|---|
got-cjs@12.5.4 | network, filesystem | +25 |
mnmkng |
š® Removed packages: request@2.88.2
Hi there. Thanks for the PR. Iām all for removing no longer maintained dependencies. Rather than introduce a new one that might end up unmaintained tomorrow, why not make the switch to the native fetch()
, which during a transition period we could back by node-fetch()
? What do you think?
I think so, node-fetch
would be a solid option too.
Feel free to reopen this once you have the code ready. Thanks for your help!
Feel free to reopen this once you have the code ready. Thanks for your help!
got it. i'll try when i have time!
Hello, is it possible to replace
request
with maintained HTTP Request Library?request
has vulnerability and already on EOL. The easiest lib to become an alternative that I can think of is got. It has same stream method but no longer support CommonJS.Vulnerability on
request
lib: https://github.com/request/request/issues/3442Edit: Nevermind,
got
also has this vulnerability :/ I think the solution is to add SSRF Filter to the client