opsgenie-nodejs-sdk
opsgenie-nodejs-sdk copied to clipboard
opsgenie
requestretry vulnerability
The requestretry v1.13.0 has a cookie exposure vulnerability.
To reproduce:
$ npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cookie exposure in requestretry │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ requestretry │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ opsgenie-sdk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ opsgenie-sdk > requestretry │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-hjp8-2cm3-cc45 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Environment:
- Node version: 14.19.0
- opsgenie-sdk: 1.13.0
Could you be able to update requestretry to 7.0.0?
Any update on this? Seems like there is already a dependabot PR opened: https://github.com/opsgenie/opsgenie-nodejs-sdk/pull/43.
I see that a new version of opsgenie-sdk is released with the updated version of requestretry. Unfortunately it appears that the upgrade is a breaking change. Specifically, https://github.com/FGRibreau/node-request-retry/commit/0979c60#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R33 is now stripping away the authorization header. As a result, any call via the OpsGenie API using the new sdk will have no api_key, resulting in 401 error.