Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) #812

Closed
gustaff-weldon opened this issue May 30, 2022 · 3 comments
Closed

Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) #812

gustaff-weldon opened this issue May 30, 2022 · 3 comments

Comments

@gustaff-weldon
Copy link

gustaff-weldon commented May 30, 2022
edited

Describe the bug
This client depends on no longer maintained request dependency.

Screenshot 2022-05-30 at 14 15 31

The path to upgrade was described in request/request#3142

This client is linked from Officially-supported Kubernetes client libraries page and as such will be widely used by developers who unknowingly will introduce vulnerability.

request brings in a dependency chain with json-schema with a critical vulnerability reported:

Screenshot 2022-05-30 at 14 10 24

** Client Version **
0.16.3

To Reproduce

  • yarn init
  • yarn add @kubernetes/client-node
  • yarn why json-schema -R

Expected behavior
No dependency on vulnerable json-schema version < 0.4.0

Environment (please complete the following information):
Any

Additional context
Github advisory entry for json-schema:
CVE-2021-3918 (GHSA-896r-f27r-55mw)
@gustaff-weldon gustaff-weldon changed the title Replace outdated request dependency that introduces critical vulnerability in json-schema Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) May 30, 2022
@Timothy-Dement
Copy link

Timothy-Dement commented May 30, 2022
edited

This looks like it will resolve the following warnings:

> $ npm install @kubernetes/client-node
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

Although uuid is also listed under:

So that warning may require additional package updates to fully resolve.

@brendandburns
Copy link
Contributor

This is a duplicate of #414 there is a long discussion there.

Additionally there is documentation for the migration path here:
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md

The fetch migration has slowed because this is a community supported project. If someone wants to help with the migration, we would be very happy to have the help.

Thanks!

@gustaff-weldon
Copy link
Author

@brendandburns that discussion is over 2 years old and looks to be stalled.
At this stage, this client should not be a recommended one anymore as it introduces critical security errors.

What is your recommendation for people who need to use Kubernetes API from Node?

@gustaff-weldon gustaff-weldon mentioned this issue Jun 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gustaff-weldon @brendandburns @Timothy-Dement