gax-nodejs icon indicating copy to clipboard operation
gax-nodejs copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Dependency `request` is missing and vulnerable

Open SNThrailkill opened this issue 10 months ago • 5 comments

Environment details

  • OS: MacOS 14.4.1
  • Node.js version: 20.11.1
  • npm version: 10.2.4
  • gax-nodejs version: 4.3.1

Steps to reproduce

  1. Add @google-cloud/pubsub as a dependency to any project
  2. Run npm install
  3. Run npm run build or equivalent

Error

⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '/app/node_modules/google-gax/build/src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-cloud/pubsub/build/src/index.js
./src/app/my/code/pubsub.ts

Workaround Add request as a dependency of the project by running npm install request --save

Additional Issue On top of being missing from this package, the request package has been deprecated for 4 years and is vulnerable due to its reliance on the tough-cookie package that has well known vulnerabilities (Link 1, Link 2, Link 3).

SNThrailkill avatar Apr 09 '24 15:04 SNThrailkill

Same issue here when adding the @google-analytics/data as a dependency.

Environment details

  • OS: Windows 11
  • Node: 20.11.1
  • npm: 10.4.0
  • google-gax: 4.3.2

Error

 ⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '-\node_modules\google-gax\build\src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-analytics/data/build/src/v1alpha/alpha_analytics_data_client.js
./node_modules/@google-analytics/data/build/src/v1alpha/index.js
./node_modules/@google-analytics/data/build/src/index.js
./-

TrygveDev avatar Apr 12 '24 14:04 TrygveDev

Hey @alexander-fenster can you add a security tag to this issue?

SNThrailkill avatar Apr 15 '24 15:04 SNThrailkill

Given that there is an existing dependency node-fetch https://github.com/googleapis/gax-nodejs/blob/main/gax/package.json#L19, could we just swap request to node-fetch?

nicole0707 avatar Apr 24 '24 06:04 nicole0707

If the intent is that a request library must be provided to retry-request, would it be sufficient to throw an error here instead of requiring a module that is not a dependency?

nicole0707 avatar Apr 24 '24 06:04 nicole0707

I have submitted PR https://github.com/googleapis/gax-nodejs/pull/1590 to use teeny-request instead of request. The retry-request module that needs one of these dependencies also advices to use teeny-request instead of request and already has its own dependency on retry-request, so retry-request is already a (transitive) dependency of google-gax

wvanderdeijl avatar May 08 '24 11:05 wvanderdeijl

I've faced a similar issue. I'm working on a Next.js project using Next 14 app router. I also came across this.

https://www.reddit.com/r/react/comments/tqv6gv/facing_breaking_change_webpack_5_used_to_include/

ThulinaWickramasinghe avatar May 17 '24 21:05 ThulinaWickramasinghe