New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Request module to Avoid Security Vulnerability #506
Comments
please do fix this, we've seen the same advisory |
Hawk isn't used by pkgcloud. Just because it's bundled by request doesn't make the whole module vulnerable. If you actually look at the code base of request, you'll see that |
I can probably look at bumping our dependencies none-the-less. |
Thanks @kenperkins |
As can be seen in the path for the report that I posted:
Hawk is used by request. Looks like Request have been updated (since I've reported the issue) to bump up Hawk version so using request request@2.70.1 should fixed the issue. |
The point that @3rd-Eden was making was that |
@indexzero Ah, I see. Thanks and good to know. |
FYI @akras14 I don't see |
@kenperkins Thanks, my bad. I've double checked and 2.70.0 is published and has the Hawk version bump. |
Hi, Just did another NSP scan. pkgcloud@1.4.0 uses request@2.40.0 which has another vulnerability listed in addition to the one aforementioned: I'm currently ignoring https://nodesecurity.io/advisories/77 as well, since I have a CI build system but that's obviously not ideal. Would be great if you guys could knock out 2 of them by updating the request dependency version. |
nsp module points out vulnerability in hawk module that is being used by request module.
Looks like the hawk version has just been bumped up in the request module, but it has not release yet. Next release after v2.69.1 should have it, since the commit was already made: request/request@ebb2c3b
Just wanted to put it on your radar.
The text was updated successfully, but these errors were encountered: