Excel-Custom-Functions icon indicating copy to clipboard operation
Excel-Custom-Functions copied to clipboard
verified publisher icon OfficeDev

Module 'request' (used in test) is depreicated and has a vulnerability

Open millerds opened this issue 1 year ago • 0 comments

Prerequisites

Please answer the following questions before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • [X] I am running the latest version of Node and the tools
  • [ ] I checked the documentation and found no answer
  • [ ] I checked to make sure that this issue has not already been filed

Expected behavior

No vulnerabilities reported by npm install or npm audit

Current behavior

npm install or audit reports a vulnerablility with tough-cookie by way of the 'request' module used for testing. We should use a different module since 'requrest' is deperciated (and 4 years old). See https://github.com/request/request/issues/3143 for alternatives

Steps to Reproduce

run 'npm audit'

Context

  • Operating System: Win32
  • Node version: v18
  • Office version: n/a
  • Tool version: n/a

Failure Logs

npm audit report

axios 0.8.1 - 1.5.1 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/axios @microsoft/teams-manifest <=0.1.2 Depends on vulnerable versions of axios node_modules/@microsoft/teams-manifest @microsoft/teamsfx-api <=0.22.6 Depends on vulnerable versions of @microsoft/teams-manifest Depends on vulnerable versions of axios node_modules/@microsoft/teamsfx-api @microsoft/teamsfx-cli * Depends on vulnerable versions of @microsoft/teamsfx-api Depends on vulnerable versions of @microsoft/teamsfx-core node_modules/@microsoft/teamsfx-cli office-addin-dev-settings >=1.11.0 Depends on vulnerable versions of @microsoft/teamsfx-cli node_modules/office-addin-dev-settings office-addin-debugging >=4.3.10 Depends on vulnerable versions of office-addin-dev-settings node_modules/office-addin-debugging @microsoft/teamsfx-core <=2.0.6 Depends on vulnerable versions of @microsoft/teamsfx-api Depends on vulnerable versions of axios node_modules/@microsoft/teamsfx-core

request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie

9 moderate severity vulnerabilities

To address issues that do not require attention, run: npm audit fix

To address all issues possible (including breaking changes), run: npm audit fix --force

Some issues need review, and may require choosing a different dependency.

millerds avatar Jan 24 '24 00:01 millerds