Open drawyan opened 7 years ago
Another reason to do this: the version of request used uses a vulernable tough-cookie dependency
https://nodesecurity.io/advisories/525
New version is available after this PR closed (https://github.com/salesforce/tough-cookie/issues/92). Please update so nsp check
and other security tools can succeed without adding exceptions
Yet another reason: the 2.75.x
version(s) of request
uses a deprecated version of node-uuid
which has now been transitioned to uuid
. More on this change here: https://github.com/kelektiv/node-uuid/issues/142
Since there is already a pull request #75 for this, can it be merged?
And another...
The current pinned version of the request module has an ancestral dependency on a version of hoek that has a DDOS vulnerability.
Upgrading the request module to any version > 2.84.0 should suffice.
hoek node module before 5.0.3 or 4.2.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability - updating request will maybe solve it
Problem: The current dependent lib
request
version ofrequest": "2.75.x"
has an old dependency ofaws-sign2: 0.6.0
which has a serious bug of duplicated exporting names: https://github.com/request/aws-sign/issues/7And this is preventing bundle tools such as
rollup
to fail because it can't allow duplicated exports from the same module.