-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential exposure to CVE-2021-3918 - Score 9.8 #158
Comments
@felix-hcl, thanks for reporting this. Since |
Hello @dhmlau, |
Replaced request with a well-maintained fork - #179 |
Steps to reproduce
npm ls json-schema
Current Behavior
The vulnerable version of json-schema is a sub-dependency of
request@2.88.2
which is the latest version of the deprecated http client.Expected Behavior
Usage of non-deprectated package which are not exposed to security vulnerabilities.
Additional information
https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Fixes exist for
json-schema
,jsprim
andhttp-signature
butrequest
does not accepthttp-signature@1.3.6
which would resolve this issue:https://github.com/joyent/node-http-signature/blob/master/CHANGES.md#136
Related Issues
#147
The text was updated successfully, but these errors were encountered: