Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update request to 2.88 #2496

Closed
Gwerlas opened this issue Sep 14, 2018 · 9 comments · Fixed by #2497
Closed

Update request to 2.88 #2496

Gwerlas opened this issue Sep 14, 2018 · 9 comments · Fixed by #2497

Comments

@Gwerlas
Copy link
Contributor

Gwerlas commented Sep 14, 2018

The package extend 3.0.1, which is a dependency of request 2.87 has a vulnerability :
https://hackerone.com/reports/381185

Is it possible to upgrade ro request 2.88 which has fix his own package.json to use the fixed extend 3.0.2 ?
@xzyfer
Copy link
Contributor

xzyfer commented Sep 14, 2018 via email

@Gwerlas Gwerlas mentioned this issue Sep 17, 2018
Merged
xzyfer pushed a commit that referenced this issue Sep 17, 2018
@xzyfer
Upgrade request package to v.2.88
746759c 
The package `extend 3.0.1`, which is a dependency of `request 2.87` has a vulnerability :
https://hackerone.com/reports/381185

Upgrade `request` to v.2.88 will install `extend` v.3.0.2, the fixed version.

Fix #2496
@drakonen
Copy link

Is there a release with this fix?

@Gwerlas
Copy link
Contributor Author

Gwerlas commented Sep 18, 2018

Not yet.

I don't know who can make a new release.

@drakonen
Copy link

@xzyfer Is there a release planned with this fix? I'd like to use a release instead of a git commit in my package.json.

@danconnell
Copy link

Sorry to do this, but: @xzyfer @andre @deanmao @bwilkins @keithamus @LaurentGoderre @nschonni @adamyeats @am11

Can someone please release this to npm?

@xzyfer
Copy link
Contributor

xzyfer commented Oct 15, 2018

v4.9.4 released

@gaz77a
Copy link

gaz77a commented Apr 23, 2019

angular/angular#21202
As you can see in the link above, there is a similar issue where upgrading request module from 2.87.0 to 2.88.0 also introduces the punycode module v2.1.1 which dropped support for IE11 in v2.0.0.

├─┬ node-sass@3.13.1
│ └─┬ request@2.88.0
│   ├─┬ har-validator@5.1.3
│   │ └─┬ ajv@6.10.0
│   │   └─┬ uri-js@4.2.2
│   │     └── punycode@2.1.1

Can you suggest how we can fix this for node-sass@3.13.1 without upgrading it to a major version.

@nschonni
Copy link
Contributor

The version of request that node-sass uses should have no affect on your application if you require a particular version for your app. EX: set your request version in you package.json and NPM will separate out node-sass and your apps version

@gaz77a
Copy link

gaz77a commented Apr 23, 2019

Thanks @nschonni, your suggestion worked perfectly! I'm certainly impressed by the quick turnaround of the contributors of this project :)

@snyk-bot snyk-bot mentioned this issue Sep 12, 2019
Open
jiongle1 pushed a commit to scantist-ossops-m2/node-sass that referenced this issue Apr 7, 2024
@mgreter
Merge pull request sass#2496 from mgreter/bugfix/issue-2465
c46396a 
Implement exponents for numbers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade request package to v.2.88
6 participants
@drakonen @xzyfer @nschonni @gaz77a @danconnell @Gwerlas