xero-node
xero-node copied to clipboard
XeroAPI
Get rid of deprecated "request" dependency
SDK you're using (please complete the following information):
- Version 4.19.0
Is your feature request related to a problem? Please describe.
The request package was deprecated on Feb 11th, 2020, and doesn't have any updates for a while.
Currently, there's at least one security advisory published for the package that's used by request: CVE-2021-3918. Seems like there won't be any fixed version released.
Describe the solution you'd like
Replace the request package with one of the modern competitors: axios, got, node-fetch, etc.
Describe alternatives you've considered N/A
Additional context Probably I can make the required changes and create a PR if the team makes a decision about what replacement to use.
Hey @okovpashko The team has explored alternatives and were thinking of switching to got. If you're open to making a PR that would be great and we'd be happy to collaborate with you to get the required changes implemented upstream in our codegen templates.
@okovpashko if you can do a few of the generated methods as well I can translate that upstream to the mustache templates - maybe one each for the various use cases? ie: GET, POST, PUT, DELETE and Attachments?
Is there plans to remove "request"? There is a moderate vulnerability with it. Which means it keeps throwing security warnings if we use the xero-node package now.
https://github.com/advisories/GHSA-p8p7-x288-28g6
Any update on this? Its been 4 years since Request had any updates and there are now at least 2 vulnerabilities associated with this package.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28155 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26136
Apologies for the delay. We have now replaced "request" module with Axios. Latest SDK v5.0.0 contains the fix. Hope this helps.
