Node security project failure

[bobjflong]

Hi, we are getting nsp failures in intercom-node. We are running unirest 0.4.2 which appears to be the latest. There was a change dddf899 to bump the request version but did it get released? And do you think it will fix the hawk issue?

┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                                      │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ hawk                                                                                                      │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 1.1.1                                                                                                     │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ < 3.1.3  || >= 4.0.0 <4.1.1                                                                               │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >=3.1.3 < 4.0.0 || >=4.1.1                                                                                │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ intercom-client@2.6.0 > unirest@0.4.2 > request@2.51.0 > hawk@1.1.1                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/77                                                                     │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────┘

[joeycozza]

Sure would be nice to have this update released on npm...

[bobjflong]

Our builds are still broken 😞 would it be possible to release the version? Or learn more about when that might happen?

[ErikBean]

@bobjflong I bumped my unirest version to point to master:
"unirest": "git@github.com:Mashape/unirest-nodejs.git#master"
And nsp is no longer complaining about request, since it's bumped to ~2.65.0 in unirest's master branch.
So I believe this issue should be fixed in the next release.
I also would like to have this added to npm, how can I help?
@nijikokun is there a plan for when the next release might be out?

[nijikokun]

today

[joeycozza]

hallelujah

[nijikokun]

0.5.0 has been released, beware that I have updated all module dependencies to their latest (safe) version that I can foresee. Let me know if you spot any issues.

 % nsp check                                                                                    git/unirest-nodejs (master) nijikokun
(+) No known vulnerabilities found

[ErikBean]

@nijikokun I'm confused, I don't see 0.5.0 in the releases page, but I see 0.5.0 on npm. How is this working?

[nijikokun]

you dont have to push tags to github for it to show on npm

[ErikBean]

Ok, thanks 👍