Skip to content
This repository has been archived by the owner on Jan 11, 2024. It is now read-only.

Update request dependency with patched version #110

Closed
wants to merge 1 commit into from
Closed

Update request dependency with patched version #110

wants to merge 1 commit into from

Conversation

AustinMontoya
Copy link

Hello! I work for a company that leverages this SDK and ran into what appears to be a security vulnerability from a transitive dependency.

We run nsp check to audit our dependencies.

We pull in optimizely-client-sdk@1.6.0, which in turn pulls in the server SDK. The server SDK is flagged for us because of a vulnerability in hoek, which is transitive from request.

image

Upgrading hoek removes the issue.

This can't really be verified using a unit test, but can be checked using the following:

  1. Clone the repo
  2. Run nsp check in the repo root of master (either via npx or via a global installation). Should see something similar to the above screenshot.
  3. Checkout this branch
  4. Run nsp check again. Should see "No known vulnerabilities found"

I think this will also require a corresponding version change in the client SDK's 1.6 branch to use a caret with the published version of this, should it get merged.

Let me know if you have any questions / concerns!

Best,
Austin

@coveralls
Copy link

coveralls commented Apr 11, 2018
edited

Coverage Status

Coverage remained the same at 98.737% when pulling cd19b75 on grrizzly:grrizzly/address-nsp-audit-vuln into c29c01f on optimizely:master.

2 similar comments
@coveralls
Copy link

coveralls commented Apr 11, 2018
edited

Coverage Status

Coverage remained the same at 98.737% when pulling cd19b75 on grrizzly:grrizzly/address-nsp-audit-vuln into c29c01f on optimizely:master.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 98.737% when pulling cd19b75 on grrizzly:grrizzly/address-nsp-audit-vuln into c29c01f on optimizely:master.

@mikeproeng37
Copy link
Contributor

Thanks for the PR @grrizzly. Unfortunately upgrading to that version of the request library breaks compatibility with legacy Node (< 4.0). This was an issue previously where the upgrade to 2.82 was actually a breaking change and ended up causing issues because we weren't pinned to minor versions. We are currently in the process of releasing the 2.0 version of the SDK, which does upgrade the request library and breaks support for legacy Node. Unfortunately we cannot do it in 1.x.x versions because we do have customers using legacy Node versions. You can refer to this release for more information: https://github.com/optimizely/javascript-sdk/releases/tag/v2.0.0-beta1

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@AustinMontoya @coveralls @mikeproeng37