request and request-promise-native vulnerability

[rygramer]

These two packages are no longer maintained, and Snyk has reported an issue with the request package related to Server-side Request Forgery.

jsforce went through a similar analysis and remediation here: jsforce/jsforce#1312

I wish I could help, but this is out of my wheelhouse. I do think this is an important fix to push through.

sfpowerscripts/packages/sfprofiles/package.json

Lines 74 to 75 in 185b6fb

	"request": "^2.88.2",
	"request-promise-native": "^1.0.9",

[rygramer]

@azlam-abdulsalam I was looking into this a bit more. Looks like the only usage of request / request-promise-native in the entire sfp library is in this method:

sfpowerscripts/packages/sfprofiles/src/utils/scratchOrgUtils.ts

Lines 32 to 47 in 5ab1900

	public static async getScratchOrgLimits(hubOrg: Org, apiversion: string) {
	let conn = hubOrg.getConnection();
	let query_uri = `${conn.instanceUrl}/services/data/v${apiversion}/limits`;
	const limits = await request({
	method: 'get',
	url: query_uri,
	headers: {
	Authorization: `Bearer ${conn.accessToken}`,
	},
	json: true,
	});
	SFPLogger.log(`Limits Fetched: ${JSON.stringify(limits)}`, LoggerLevel.TRACE);
	return limits;
	}

It doesn't look like this method is referenced anywhere in the codebase. (PoolCreateImpl is using ScratchOrgLimitsFetcher, the latter not having a dependency to either request / request-promist native, nor sfprofiles):

sfpowerscripts/packages/core/src/scratchorg/pool/PoolCreateImpl.ts

Line 57 in 5ab1900

this.limits = await new ScratchOrgLimitsFetcher(this.hubOrg).getScratchOrgLimits();

Perhaps the vulnerable method is an artifact of the past, and can simply be removed (which would also eliminate the dependency on request and request-promise-native)?? 🤞

[azlam-abdulsalam]

Wohooo! Thanks @rygramer Checking this one