SECURITY: Depend on request@2.83.1 instead of 2.81.0 to mitigate vulnerability in transient dependency hoek@2.16.3

[manuelkiessling]

hoek@2.16.3 has a vulnerability, which is fixed in newer version. You are currently not (transiently) getting the fixed version because you depend on an older version of request. Upgrading your dependency to request2.83.1 should fix the problem.

Here is the output of NSP:

yarn run nsp check
yarn run v1.3.2
$ /.bin/nsp check
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 2.16.3                                                             │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ redacted > uppy-server@0.11.1 >                  │
│            │ grant-express@3.8.0 > grant@3.8.0 > request@2.81.0 > hawk@3.1.3 >  │
│            │ hoek@2.16.3                                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/566                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

[simov]

Unfortunately this update is going to break any client on Node <= 4.x.

I don't support those versions anymore but I won't be able to update request without a major release here, and I'm thinking about replacing it with something else instead.

I know these vulnerability warnings are kind of annoying, but Grant does not use anything from this dependency, so in fact this vulnerability is not affecting it.

[simov]

@manuelkiessling I've released v4.0 where I've dropped the request dependency in favor of request-compose which is a lighter HTTP client that simply does not depend on hawk, meaning that this effectively resolves the vulnerability issue.

Check out the Changelog before migrating. There is only one breaking change that may affect you.

Let me know if you have any issues.

[manuelkiessling]

I'm afraid I cannot test this directly, because grant is only a transient dependency for me - I depend on https://github.com/transloadit/uppy-server (see transloadit/uppy-server/issues/70).

[simov]

I see, I've sent an email to the uppy's maintainers, also I'll comment in their issue tracker. Migration to v4 should be pretty straightforward for them.