replace request with axios (#278)

Co-authored-by: ethanstjohn <ethanstjohn@ibm.com>
razee-io · Apr 13, 2023 · a1f1e41 · a1f1e41
1 parent 73247f9
commit a1f1e41
Show file tree

Hide file tree

Showing 3 changed files with 955 additions and 814 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,7 +10,7 @@ before_install:
 
 script:
   # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
-  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit; else npm audit || true; fi
+  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config audit-ci.json; else npx audit-ci --config audit-ci.json || true; fi
   - npm run lint
   - npm run snifftest
   - if [[ "${TRAVIS_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi

diff --git a/audit-ci.json b/audit-ci.json
@@ -0,0 +1,16 @@
+{
+    "low": true,
+    "_allowlistInfo": [
+      {
+        "advisory": "GHSA-p8p7-x288-28g6",
+        "details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
+        "justification1": "Request package is deprecated and unlikely to receive updates.",
+        "justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.",
+        "expiry": "28 April 2023 00:00"
+      }
+    ],
+    "allowlist": [
+      "GHSA-p8p7-x288-28g6"
+    ],
+    "skip-dev": true
+  }