The request package used by Node 4.3.0 is depreciated
aakashbhatiaaccenture opened this issue · 6 comments
SDK you're using (please complete the following information):
- Version [e.g. 4.37.0]
Describe the bug
xero-node >=4.0.0-alpha.1 depends on vulnerable versions of request. The request package itself is depreciated.
To Reproduce
Steps to reproduce the behavior:
- Install xero-node >= 4.0.0 using npm
- Run 'npm audit'
- See the vulnerability listed
Expected behavior
It should not make use of the depreciated package. Instead it could one the following listed packages: request/request#3143
PETOSS-381
Thanks for raising an issue, a ticket has been created to track your request
They have known about this for over a year, and not seeming to care. I feel this package is unmaintained. They are updating the xero api endpoints, but not maintaining any security updates.
Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.
Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.
Thanks very much, really appreciate it
this issue is fixed in latest version of xero-node.