Update request dependency to 2.86.x to fix security vulnerability
codyjdalton opened this issue · 2 comments
codyjdalton commented
1 vulnerability found - Severity: 1 moderate
See: https://nodesecurity.io/advisories/664
Request package removed the stringstream dependency in 2.86 but coveralls is still using 2.85, which contains the vulnerability.
NOTE:
Can be resolved in parent projects by running:
npm update request --depth 2
And committing package-lock.json.
adrukh commented
I'd like to piggy-back this issue and suggest replacing request with a thinner HTTP client package (got, axios, needle and the like).
request is GREAT but it has some side effects:
- it adds ~4.5MB to the install size of
coveralls- see https://packagephobia.now.sh/result?p=request - it supports so many use-cases at the cost of various dependencies, resulting in somewhat frequent creep-up of security issues.
- it introduces dependencies with less-than-perfect licenses for commercial use (see https://www.npmjs.com/package/tweetnacl and https://spdx.org/licenses/Unlicense.html)
Will the maintainers of coveralls be open to such a change? If so, I'd like to discuss alternatives and then take a stab at a PR to introduce this change.
XhmikosR commented
This can be closed