Skip to content
This repository has been archived by the owner on Oct 19, 2023. It is now read-only.

Transitive security vulnerability via request package #309

Open
kasymbayaman opened this issue Nov 22, 2021 · 1 comment
Open

Transitive security vulnerability via request package #309

kasymbayaman opened this issue Nov 22, 2021 · 1 comment

Comments

@kasymbayaman
Copy link

How to reproduce:

Npm audit security report:

Moderate: json-schema is vulnerable to Prototype Pollution
Package: json-schema                                                  
Patched in:   >=0.4.0                                                      
Dependency of:  @hubspot/api-client                                    
Path: @hubspot/api-client > request > http-signature > jsprim > json-schema       
More info: https://github.com/advisories/GHSA-896r-f27r-55mw

Expected Behavior
request depends on http-signature with the security fix, i.e. ~1.3.6 TritonDataCenter/node-http-signature#125

Current Behavior
request 2.88.2 depends on the vulnerable http-signature 1.2.0
@kasymbayaman kasymbayaman changed the title ransitive security vulnerability via request package Transitive security vulnerability via request package Nov 22, 2021
@danielmbarlow
Copy link

There is also the tough-cookie security vulnerability fixed in v4.1.3, whereas request depends on an earlier version.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielmbarlow @kasymbayaman