Skip to content

Replace deprecated dependency on request #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
leedm777 opened this issue Nov 23, 2021 · 3 comments
Closed

Replace deprecated dependency on request #148

leedm777 opened this issue Nov 23, 2021 · 3 comments
Assignees
@sv2
Labels
enhancement

Comments

@leedm777
Copy link

The Request.js library has been deprecated (see request/request#3142), and is actively pushing folks to use other libraries (see request/request#3143).

There's currently a security vulnerability via request's dependencies, making it even more important to move to a more supported library.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-stats                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-stats > request > http-signature > jsprim >          │
│               │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
@sv2 sv2 self-assigned this Nov 24, 2021
@steven-sheehy
Copy link
Contributor

steven-sheehy commented Dec 10, 2022
edited
Loading

@sv2 Even with the recent dependency bumps in 0.99.4 this outdated version of request dependency causes security checks to fail due to the vulnerable qs it brings in transitively. We can do npm up to fix but then Dependabot wipes that package-lock.json out. Any considerations to replacing the deprecated request? This is blocking our CI from passing and we'll have to spend effort figuring out workarounds.

@sv2
Copy link
Collaborator

sv2 commented Dec 13, 2022

Yes, we'll replace request shortly

sv2 added a commit that referenced this issue Jan 12, 2023
@sv2
Replace request with axios #148
be48799
sv2 added a commit that referenced this issue Jan 12, 2023
@sv2
#148
a855885
@sv2
Copy link
Collaborator

sv2 commented Jan 12, 2023

Request has been replaced with Axios - v0.99.5

@sv2 sv2 closed this as completed Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sv2 sv2

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leedm777 @sv2 @steven-sheehy