Security - Deprecated dependency (Request)

[Hanifb]

Request is now deprecated - it has several unadressed issues.

Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3

[dcnl1980]

Same here, any updates?

npm audit report

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install @getbrevo/[email protected], which is a breaking change
node_modules/request
@getbrevo/brevo >=2.0.0-beta.2
Depends on vulnerable versions of request
node_modules/@getbrevo/brevo

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix --force
Will install @getbrevo/[email protected], which is a breaking change
node_modules/tough-cookie

3 moderate severity vulnerabilities

[bobylito]

For request there will be update of the library, see here : request/request#3142. It begs the question of why the project depends on such an outdated package?

There is a 4.1.4 version of tough-cookie that we could use. This is a dependency of request and it can be overriden like so :

{
  "name": "my-package",
  "version": "1.1.1",
  "dependencies": {
    "@getbrevo/brevo": "^2.2.0",
  },
  "overrides": {
    "@getbrevo/brevo": {
      "tough-cookie": "4.1.4"
    }
  }
}

[SergioNR]

Bump

[Pouchey]

Up ?

[proton1k]

up

[sualko]

@shubhamUpadhyayInBlue any update on this? It is really annoying.