xero-node
xero-node copied to clipboard
Get rid of deprecated "request" dependency
SDK you're using (please complete the following information):
- Version 4.19.0
Is your feature request related to a problem? Please describe.
The request package was deprecated on Feb 11th, 2020, and doesn't have any updates for a while.
Currently, there's at least one security advisory published for the package that's used by request
: CVE-2021-3918. Seems like there won't be any fixed version released.
Describe the solution you'd like
Replace the request
package with one of the modern competitors: axios, got, node-fetch, etc.
Describe alternatives you've considered N/A
Additional context Probably I can make the required changes and create a PR if the team makes a decision about what replacement to use.
Hey @okovpashko The team has explored alternatives and were thinking of switching to got. If you're open to making a PR that would be great and we'd be happy to collaborate with you to get the required changes implemented upstream in our codegen templates.
@RettBehrens should I update the generated code as well or just XeroClient.ts?
@okovpashko if you can do a few of the generated methods as well I can translate that upstream to the mustache templates - maybe one each for the various use cases? ie: GET
, POST
, PUT
, DELETE
and Attachments?
Is there plans to remove "request"? There is a moderate vulnerability with it. Which means it keeps throwing security warnings if we use the xero-node package now.
https://github.com/advisories/GHSA-p8p7-x288-28g6
Any update on this? Its been 4 years since Request had any updates and there are now at least 2 vulnerabilities associated with this package.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28155 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
Any updates/plans on fixing this?
Apologies for the delay. We have now replaced "request" module with Axios. Latest SDK v5.0.0 contains the fix. Hope this helps.