New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update minimum request version to enforce security fix in tough-cookie dependency #425
Conversation
Can one of the admins verify this patch? To accept patch and trigger a build add comment ".ok\W+to\W+test." |
Can one of the admins verify this patch? |
2 similar comments
Can one of the admins verify this patch? |
Can one of the admins verify this patch? |
f51fb67
to
53231b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @quentinR, thank you for the pull request!
package.json
Outdated
@@ -32,7 +32,7 @@ | |||
"loopback-phase": "^1.3.0", | |||
"mux-demux": "^3.7.9", | |||
"qs": "^6.2.1", | |||
"request": "^2.55.0", | |||
"request": "~2.83.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, ^2.55.0
will install the latest 2.x.y version of request, which includes 2.83.0. This change is not needed in the strict sense.
However, I think it makes sense to disallow older request version because they have a know security vulnerability, therefore I am fine with bumping up this version.
Please preserve the carrot operator ^
, we don't use ~
.
As can be seen from this comment, using ^
allows us to receive latest security fixes, while ~
would require us to update our dependencies whenever a security issue is fixed, and then our consumer would possibly have to update their dependencies too.
@slnode ok to test |
@bajtos thanks for the review, I updated my PR regarding your comment. |
Enforce our users to upgrade to a recent request version that contains latest security fixes: - tough-cookie vulnerability: https://nodesecurity.io/advisories/525 - request update: request/request#2776
ca635f4
to
7429142
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I have squashed the commits myself and edited the commit message to follow our 50/72 style.
Let's wait for CI results before landing.
Landed, thank you for the contribution! 👍 |
Update the version of the request dependency, due to a security issue in the tough-cookie library
tough-cookie vulnerability
request update