Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade version of request library to fix vulnerability #188

Closed
clementallen opened this issue Mar 23, 2018 · 8 comments
Closed

Upgrade version of request library to fix vulnerability #188

clementallen opened this issue Mar 23, 2018 · 8 comments

Comments

@clementallen
Copy link

The current version of the request library uses a version of tough-cookie which has a security vulnerability. Upgrading request would mean this vulnerable version would no longer be used.

Vulnerability:
https://www.versioneye.com/Node.JS/tough-cookie/2.3.2

Fix in request:
request/request#2776
@clementallen clementallen changed the title Upgrade version of request library Upgrade version of request library to fix vulnerability Mar 23, 2018
@delucis
Copy link

delucis commented Apr 26, 2018

The current version of request also depends on an old and vulnerable hoek (via hawk).

Vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2018-3728

@monkbroc monkbroc mentioned this issue Apr 26, 2018
Closed
@epheph
Copy link

epheph commented Apr 26, 2018

#189

@davedoesdev
Copy link

Re the hoak vulnerability.
node-coveralls brings in hoak 4.2.1 which is not vulnerable:

https://nodesecurity.io/advisories/566
hapijs/hoek#230

@delucis
Copy link

delucis commented Apr 26, 2018

My bad, double checked and as far as I can tell, it is indeed bringing in 4.2.1.

@epheph
Copy link

epheph commented Apr 26, 2018

It could end up using a lower version of hoek if there's another old request/hoek elsewhere in your project (like babel-cli)

@davedoesdev
Copy link

IMHO that's a problem with the project depending on an older request/hoek.

request 3.0.0 depends on request ^2.79.0 so is happy to accept patches to the 2.x.x line.

@evanp evanp mentioned this issue Apr 27, 2018
Open
gustavohenke added a commit to express-validator/express-validator that referenced this issue Apr 29, 2018
@gustavohenke
npm: update deps to get rid of vulnerabilities
d610f85 
Found in hoek@4.2.0
https://nvd.nist.gov/vuln/detail/CVE-2018-3728

See also nickmerwin/node-coveralls#188
@Retro64 Retro64 mentioned this issue Apr 30, 2018
Closed
@ChristophWurst ChristophWurst mentioned this issue Apr 30, 2018
Closed
@davedoesdev
Copy link

I think this is fixed now, thanks

@nickmerwin
Copy link
Owner

Thanks!

@kkamkou kkamkou mentioned this issue May 2, 2018
Closed
@stefan-guggisberg stefan-guggisberg mentioned this issue Sep 18, 2018
Closed
TigerStar429 pushed a commit to TigerStar429/expressjs-validator that referenced this issue May 30, 2023
npm: update deps to get rid of vulnerabilities
8322c6f 
Found in hoek@4.2.0
https://nvd.nist.gov/vuln/detail/CVE-2018-3728

See also nickmerwin/node-coveralls#188
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nickmerwin @delucis @epheph @davedoesdev @clementallen