The request package used by Node 4.3.0 is depreciated

Question

The request package used by Node 4.3.0 is depreciated

aakashbhatiaaccenture opened this issue 9 months ago · 6 comments

aakashbhatiaaccenture commented 9 months ago

SDK you're using (please complete the following information):

Version [e.g. 4.37.0]

Describe the bug
xero-node >=4.0.0-alpha.1 depends on vulnerable versions of request. The request package itself is depreciated.

To Reproduce
Steps to reproduce the behavior:

Install xero-node >= 4.0.0 using npm
Run 'npm audit'
See the vulnerability listed

Expected behavior
It should not make use of the depreciated package. Instead it could one the following listed packages: request/request#3143

Answer 1 · 2024-01-10T13:07:04.000Z

PETOSS-381

Answer 2 · 2024-01-10T13:07:05.000Z

Thanks for raising an issue, a ticket has been created to track your request

Answer 3 · 2024-01-29T19:50:20.000Z

They have known about this for over a year, and not seeming to care. I feel this package is unmaintained. They are updating the xero api endpoints, but not maintaining any security updates.

Answer 4 · 2024-02-05T12:49:20.000Z

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

Answer 5 · 2024-02-06T00:23:55.000Z

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

Thanks very much, really appreciate it

Answer 6 · 2024-02-08T03:19:02.000Z

this issue is fixed in latest version of xero-node.