brevo-node icon indicating copy to clipboard operation
brevo-node copied to clipboard
verified publisher icon getbrevo

Security - Deprecated dependency (Request)

Open Hanifb opened this issue 1 year ago • 8 comments

Request is now deprecated - it has several unadressed issues.

Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3

Hanifb avatar Sep 23 '24 11:09 Hanifb

Same here, any updates?

npm audit report

request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix --force Will install @getbrevo/[email protected], which is a breaking change node_modules/request @getbrevo/brevo >=2.0.0-beta.2 Depends on vulnerable versions of request node_modules/@getbrevo/brevo

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via npm audit fix --force Will install @getbrevo/[email protected], which is a breaking change node_modules/tough-cookie

3 moderate severity vulnerabilities

dcnl1980 avatar Oct 14 '24 11:10 dcnl1980

For request there will be update of the library, see here : https://github.com/request/request/issues/3142. It begs the question of why the project depends on such an outdated package?

There is a 4.1.4 version of tough-cookie that we could use. This is a dependency of request and it can be overriden like so :

{
  "name": "my-package",
  "version": "1.1.1",
  "dependencies": {
    "@getbrevo/brevo": "^2.2.0",
  },
  "overrides": {
    "@getbrevo/brevo": {
      "tough-cookie": "4.1.4"
    }
  }
}

bobylito avatar Dec 12 '24 12:12 bobylito

Bump

SergioNR avatar Dec 26 '24 10:12 SergioNR

Up ?

Pouchey avatar Feb 06 '25 08:02 Pouchey

up

proton1k avatar Feb 10 '25 13:02 proton1k

@shubhamUpadhyayInBlue any update on this? It is really annoying.

sualko avatar Feb 14 '25 09:02 sualko

Looks like this is has been an issue for a while - can we get resolution on it?

Issue: The latest version of @getbrevo/[email protected] includes vulnerable transitive dependencies:

Impact: These moderate severity vulnerabilities are inherited through the request package dependency chain.

Request: Please update the SDK to use modern HTTP clients (like node-fetch, axios, or undici) instead of the deprecated request package to eliminate these security vulnerabilities.

Current workaround: Users are forced to either accept these vulnerabilities or downgrade to version 1.0.1 (which uses different dependencies but may have breaking changes).

drsib avatar Jul 12 '25 17:07 drsib

Hey! We have found another critical dependabot alert with form-data; This is a critical

You need to manually upgrade to the next ones:

"dependencies": {
  "form-data": ">=4.0.4"
}
"devDependencies": {
  "form-data": ">=4.0.4"
}

CVE ID: https://github.com/advisories/GHSA-fjxv-7rqg-78g4 GHSA ID: https://github.com/advisories/GHSA-fjxv-7rqg-78g4

eduardo-trawa avatar Jul 22 '25 14:07 eduardo-trawa