tedious icon indicating copy to clipboard operation
tedious copied to clipboard

Published 20 hours ago verified publisher icon tediousjs

Deprecated dependency libraries: request, adal, ms-rest-nodeauth

Open mcgrewsm opened this issue 4 years ago • 4 comments

Tedious is dependent on these libraries that are no longer being maintained:

"@azure/ms-rest-nodeauth": "^3.0.6", "adal-node": "^0.2.1"

ms-rest-node-auth is deprecated and uses an old version of adal-node, 0.1.28. That 0.1.28 version of adal-node uses the deprecated request library, which is a flagged security vulnerability.

The 0.2.x versions of adal-node use axios instead of request, which is fine, however, I don't believe ms-rest-nodeauth will ever be able to pick up that update because of the jump from 0.1.x to 0.2.x. In addition, adal-node itself is deprecated, in favor of the new library MSAL.

Ideal fix for this issue would be if Tedious was able to switch to MSAL, but I am not sure of the scope of that.

The big issue is really the deprecated/vulnerable request library down the dependency chain, but unfortunately I cannot see how this can be solved lower down the chain since the in-between projects themselves are deprecated.

adal page saying to switch to MSAL: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs#readme Migration page / MSAL library for JS: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/migration.md "ms-rest-nodeauth is in maintenance mode": https://github.com/Azure/ms-rest-nodeauth/issues/84 "adal is in maintenance mode": https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/issues/229#issuecomment-590518066

mcgrewsm avatar Mar 15 '21 19:03 mcgrewsm

Thanks for pointing this out! We were actually looking into migrating to @azure/identity in replace of @azure/ms-rest-nodeauth , which fortunately uses the new @azure/msal-node dependency.

IanChokS avatar Mar 17 '21 17:03 IanChokS

Hi, it is good news that there seems to be another solution to this problem. I am not partial to one library or the other, as long as there are no vulnerabilities in the tree.

mcgrewsm avatar Mar 17 '21 17:03 mcgrewsm

Hi, when this will be done please? Thanks

opravil-jan avatar Aug 14 '21 09:08 opravil-jan

Hi @opravil-jan We just start looking into this migration and plan to work on this in the near future, but we do not have a concrete estimate yet. We will update you when we finish it or we come up with a solid estimate.

MichaelSun90 avatar Aug 17 '21 22:08 MichaelSun90