Replace the deprecated and vulnerable dependency package `request` #47

joonaojapalo · 2020-08-18T13:54:50Z

Hi!

The direct dependency package request has been deprecated in Feb 2020 (https://www.npmjs.com/package/request). All versions of request including the latest one are affected by prototype pollution vulnerability (https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-21913/summary)

Maintainers of the package have composed the list of alternative libraries for replacement: request/request#3143

The text was updated successfully, but these errors were encountered:

whtswrng · 2021-03-19T09:59:13Z

Thank you for reporting this issue. We are now tracking this issue internally as LOG-12016.

adarshmadrecha · 2022-10-16T10:19:39Z

@whtswrng Any update/timeline on when the request dependency will be replaced with another suitable package?

phawxby · 2023-03-17T15:10:54Z

This issue is now of critical importance. GHSA-p8p7-x288-28g6

While there is a pull to address the issue there appears to be no activity from any of the maintainers to merge it.

zdenek-machek-swi · 2023-03-22T15:21:58Z

We are working on fix, to replace request package.

adarshmadrecha · 2023-03-28T10:16:17Z

Looking forward to the new release. Thanks in Advance.

phawxby mentioned this issue Mar 20, 2023

Replace or upgrade deprecated dependencies loggly/winston-loggly-bulk#87

Closed

Provide feedback