Use newer version of Request due to failed nsp check
pdziok opened this issue · 1 comments
pdziok commented
I'm using Good guy in my project along with nsp checks.
Good guy's dependent package request is using tough-coockie package with vulnerability found:
(+) 1 vulnerabilities found
┌───────────────┬──────────────────────────────────────────────────────────────────────────────┐
│ │ ReDoS via long string of semicolons │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ Name │ tough-cookie │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.2.2 │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ >=0.9.7 <=2.2.2 │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ Patched │ >=2.3.0 │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ Path │ mimir-api@1.0.0 > good-guy-http@1.7.2 > request@2.69.0 > tough-cookie@2.2.2 │
├───────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/130 │
└───────────────┴──────────────────────────────────────────────────────────────────────────────┘
Please update to newer version of request or make it less restrictive. The current 2.74.1 bumped dependency to 2.3.0.
kjarmicki commented
Thanks for the report @pdziok :)
I've bumped request to 2.74.0 as it's the latest one released on npm, and I see that it contains tough-cookie update.
We'll keep on using exact versions of packages because it makes builds more predictable (in case someone breaks semver rules and introduces breaking changes in minor version, which unfortunately happened before).
You can now use updated good guy version 1.7.3