request as installed depends on a version of json-fetch which is vulnerable to RCE on user-provided JSON (CVE-2021-3918).
This is currently not too much of an attack on CadenceBot (we're low-risk, we trust the IA's config inputs, and we trust the API server), but once we allow live reconfiguration by non-IAs we need to harden against a server admin attempting to inject code that could have wider impact.
Therefore, upgrade request to a version whose dependency tree does not include a version of json-fetch before 0.4.0.
This issue must be resolved before merge of a fix for #45.
requestas installed depends on a version ofjson-fetchwhich is vulnerable to RCE on user-provided JSON (CVE-2021-3918).This is currently not too much of an attack on CadenceBot (we're low-risk, we trust the IA's config inputs, and we trust the API server), but once we allow live reconfiguration by non-IAs we need to harden against a server admin attempting to inject code that could have wider impact.
Therefore, upgrade
requestto a version whose dependency tree does not include a version ofjson-fetchbefore 0.4.0.This issue must be resolved before merge of a fix for #45.