sdk-node icon indicating copy to clipboard operation
sdk-node copied to clipboard

Published 20 hours ago verified publisher icon AuthorizeNet

Security vulnerability in dependency

Open jonmast opened this issue 2 years ago • 4 comments

The "qs" package has a vulnerability. It is depended upon via the deprecated "request" package which presumably won't be updated. This will likely require removing the "request" dependency to fix.

jonmast avatar Jan 10 '23 19:01 jonmast

I see that the PR by @wilau2 was closed. Is there any plan to address this moving forward?

mattdknapp avatar Aug 01 '23 18:08 mattdknapp

This vulnerability still exists in July 2024, will the PR by @wilau2 be merged?

smartersign avatar Jul 12 '24 13:07 smartersign

I do see that the @wilau2 PR uses the got package which I believe will break CommonJS compatibility.. perhaps that is why it hasn't been implemented

smartersign avatar Jul 12 '24 17:07 smartersign

It works from my fork : "authorizenet": "https://github.com/wilau2/sdk-node",

wilau2 avatar Jul 23 '24 12:07 wilau2

We have removed the offending request package with the more stable axios package, which should not have these security findings. You can use the latest version : v1.0.9 Closing this issue.

gnongsie avatar Sep 23 '24 06:09 gnongsie