Remove "request" dependency due to security vulnerability? CVE-2023-28155 #51

justin-wilxite · 2023-03-26T16:49:25Z

The dependency "request" has a security vulnerability (reported by npm audit):

The "request" library itself is deprecated:

There is a PR on the project to fix the vulnerability, but it looks like it will not be merged:

Eskotus · 2023-06-29T09:35:02Z

Looks like it's not even used in the repository. Was it just forgotten in the deps?

dan-j · 2024-03-26T11:03:38Z

Looks like this was addressed here: #60

Just needs a release cutting from main. Is there a plan to do this soon?

aeneasr · 2024-03-26T11:05:03Z

Thank you for letting us know - release is triggerd! Closing issue

aeneasr · 2024-03-26T11:07:38Z

Would appreciate help fixing the issues!

dan-j · 2024-03-26T11:40:18Z

Tests pass locally on node 21, GitHub Actions are on 17.. do you want to upgrade, or fix the test on 17?

dan-j · 2024-03-26T11:45:57Z

The version of next used on main requires >=18.17.0, if that helps answer your question? I've confirmed that tests pass on v18.19.1

aeneasr closed this as completed Mar 26, 2024

This was referenced Apr 5, 2024

Upgrade actions to node 18 #62

Closed

chore(actions): upgrade release workflow to use node v18 #63

Merged

Provide feedback