Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inquiry about server-side request forgery vulnerability and its fix #3455

Open
jackmcd101 opened this issue Jun 23, 2023 · 1 comment
Open

Inquiry about server-side request forgery vulnerability and its fix #3455

jackmcd101 opened this issue Jun 23, 2023 · 1 comment

Comments

@jackmcd101
Copy link

Hello,

I noticed that the request package has a moderate severity vulnerability related to server-side request forgery. I ran npm audit fix as suggested, but I wanted to confirm whether the package has been updated to a non-vulnerable version.

The vulnerability is documented here: GHSA-p8p7-x288-28g6.

Could you please provide information on the status of this vulnerability? Has it been addressed in a recent release of the request package? If not, do you have any plans to release a fix or take any other measures to mitigate this vulnerability?

Best,

Jack McDermott
@s100
Copy link

s100 commented Jun 30, 2023

request has been deprecated since February 2020. It is no longer under active development, even for security fixes. This CVE will not be fixed. The only fix is to stop using request entirely, and perhaps migrate to an alternative library.

@Yasholma Yasholma mentioned this issue Jul 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@s100 @jackmcd101