SNOW-565105: Vulnerability in "request" library

[bobbrodie]

The snowflake-sdk package is dependent on [email protected], which is problematic because:

1. The request library is deprecated
2. The request library uses [email protected] defined by ~6.5.3
3. The version of qs cannot be overridden with a patched version using npm overrides because it will throw a version mismatch

---

1. What version of NodeJS are you using (node --version and npm --version)?

node: v16.13.2
npm: 8.5.5

4. What operating system and processor architecture are you using?

Software:

    System Software Overview:

      System Version: macOS 12.3 (21E230)
      Kernel Version: Darwin 21.4.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: Robert’s MacBook Pro (2)
      User Name: Robert Brodie (r.brodie)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 11 days 5:17

5. What are the component versions in the environment (npm list)? Not applicable

6. What did you do? If possible, provide a recipe for reproducing the error. A complete runnable program is good.

npm ls qs

7. What did you expect to see?

A version greater than 6.8.0

8. What did you see instead?

└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

9. Add this to get standard output. Not applicable

[fhawkes]

Yeah we've got this on our radar a well. We've actually moved to axios because the request lib expose a CVE, but obviously the fact that this is one of our deps means we're still going to be pulling in request.

[ZeRego]

+1 for removing request has a dependency. It has a critical vulnerability.

snowflake-sdk > request > http-signature > jsprim > json-schema
https://www.npmjs.com/advisories/1070413

[owlas]

More info on this related issue: https://github.com/snowflakedb/snowflake-connector-nodejs/issues/135 possibly a dupe

[sfc-gh-dszmolka]

request removed from dependencies with v1.6.12, closing this issue