Relaxes dependency versioning #70
Conversation
Assuming it uses semver versioning.
The newest version of `request` uses patched versions of `hawk` and `is-my-json-valid`, recently highlighted for DoS vulnerabilities. Since `request` 2.53 uses `hawk` 2.x, which wasn't patched, the only way to fix this vulnerability is to update to the most recent `request` version. See: mozilla/hawk#171 This is generally a good practice to use semver dependency versioning.
|
Thank you for the contribution, @jakubpawlowicz. The change makes sense, but would it be possible to lock to at least a minor a version which satisfies the requirements for the vulnerability patch? After taking a look at Any thoughts, @snmaynard @eanakashima? |
|
@kattrali sure, that would work as well, only requiring similar PR in case of any future issues. Although I'm a big fan of semver it's up to owners of this package to decide. Please let me know how you'd like to bump the versions. |
|
I poked around with this a bit, and I think it is fine for now. I may revisit and revise later. Thanks, @jakubpawlowicz. |
Relaxes dependency versioning
|
Thank you, @kattrali! |
Currently both
promiseandrequestversions are pinned which makes it impossible to get patched updates within the same major version, see the commit message to a50469d.It may require a version bump to 1.7, not sure what your policy is.
All tests are green locally.