loopback-connector-rest
loopback-connector-rest copied to clipboard
loopbackio
Potential exposure to CVE-2021-3918 - Score 9.8
Steps to reproduce
- Install loopback-connector-rest
- run
npm ls json-schema
Current Behavior
The vulnerable version of json-schema is a sub-dependency of [email protected] which is the latest version of the deprecated http client.
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
Expected Behavior
Usage of non-deprectated package which are not exposed to security vulnerabilities.
Additional information
https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Fixes exist for json-schema, jsprim and http-signature but request does not accept [email protected] which would resolve this issue:
https://github.com/joyent/node-http-signature/blob/master/CHANGES.md#136
Related Issues
https://github.com/loopbackio/loopback-connector-rest/issues/147
@felix-hcl, thanks for reporting this. Since request has been deprecated, it would be good to replace request module to another similar module (as you've pointed out #147).
IIRC, @marioestradarosa was looking into replacing request with axios but have some concerns about it. But I couldn't seem to find where the discussion happened. @marioestradarosa, any insights?
Hello @dhmlau, Thankfully in the meantime there was a fix in a sub-package so request is currently no longer vulnerable. Still the underlying issue remains by relying on a 2 year deprecated package. Is this loopback connector still maintained an recommended to be used?
Replaced request with a well-maintained fork - https://github.com/loopbackio/loopback-connector-rest/pull/179
