Potential exposure to CVE-2021-3918 - Score 9.8

[felix-hcl]

Steps to reproduce

1. Install loopback-connector-rest
2. run npm ls json-schema

Current Behavior

The vulnerable version of json-schema is a sub-dependency of [email protected] which is the latest version of the deprecated http client.

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected] 

Expected Behavior

Usage of non-deprectated package which are not exposed to security vulnerabilities.

Additional information

https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Fixes exist for json-schema, jsprim and http-signature but request does not accept [email protected] which would resolve this issue:
https://github.com/joyent/node-http-signature/blob/master/CHANGES.md#136

Related Issues

#147

[dhmlau]

@felix-hcl, thanks for reporting this. Since request has been deprecated, it would be good to replace request module to another similar module (as you've pointed out #147).
IIRC, @marioestradarosa was looking into replacing request with axios but have some concerns about it. But I couldn't seem to find where the discussion happened. @marioestradarosa, any insights?

[felix-hcl]

Hello @dhmlau,
Thankfully in the meantime there was a fix in a sub-package so request is currently no longer vulnerable. Still the underlying issue remains by relying on a 2 year deprecated package. Is this loopback connector still maintained an recommended to be used?

[samarpanB]

Replaced request with a well-maintained fork - #179