Using outdated Request module

[J4Numbers]

The Request module that is currently being used by the project (2.74.0) is using a vulnerable release of Hawk (with Hoek as a deep dependency) according to the NSP checker.

The Request module has patched this in version 2.82.0 of their project, could you update using this version as a minimum? Thanks.

[frankrousseau]

The fix is published as 0.6.3 version. But it doesn't work any more with Node 0.10.

[smashwilson]

It looks like request@2.83.0 has another vulnerability reported against a dependency:

$ npm ls cryptiles
github@0.22.1-0 /Users/smashwilson/src/atom/github
└─┬ mocha-appveyor-reporter@0.4.1
  └─┬ request-json@0.6.3
    └─┬ request@2.83.0
      └─┬ hawk@6.0.2
        └── cryptiles@3.1.2

CVE-2018-1000620

Digging around, it looks like request has removed hawk as a dependency in 2.87 (request/request#2943). Request 2.88 also updated a bunch of other dependencies to resolve security vulnerabilities.

Would it be possible to publish another dependency-upgrade version? Alternately and additionally: is there any way the version specifiers in this package's dependencies could be relaxed? Currently both are specified as exact matches.

[frankrousseau]

I will have a look at it. I don't have the rights on the repo but I may have the rights to publish a new version.

[frankrousseau]

I published a new version (0.6.4). Can you tell me if everything is ok?