twilio-client.js icon indicating copy to clipboard operation
twilio-client.js copied to clipboard

Published 20 hours ago verified publisher icon twilio

[Security Vulnerability] xmlhttprequest 1.8.0

Open franzbecker opened this issue 3 years ago • 1 comments

👋 Hey there,

I've noticed that the Twilio client uses xmlhttprequest in version 1.8.0 which has a security vulnerability. https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

https://github.com/twilio/twilio-client.js/blob/743abf614d6ac2f8f440dac27ad7d731ea708818/package.json#L124

Would it be possible to address this issue? 🙏

Heads up: xmlhttprequest seems to be no longer maintained.

The suggested remediation is to:

Upgrade xmlhttprequest-ssl to version 1.6.2 or higher.

franzbecker avatar May 07 '21 18:05 franzbecker

Thanks @franzbecker , we'll look into this upgrade. Because this is a different package, we will have to do some extra testing to make sure all functionality is the same and if not, we'll need to update our logic. I'm creating a ticket on our end to investigate internally.

liberty-rowland avatar Aug 09 '21 15:08 liberty-rowland