node-telegram-bot-api icon indicating copy to clipboard operation
node-telegram-bot-api copied to clipboard
verified publisher icon yagop

Deprecated request and request-promise packages leading to vulnerability in tough-cookie module

Open RecklessWave opened this issue 1 year ago • 5 comments

On the latest version, 0.66, node-telegram-bot-api relies on deprecated request and request-promise packages, which depend on a vulnerable tough-cookie version (https://github.com/advisories/GHSA-p8p7-x288-28g6).

npm audit suggests only temporary fixes, without resolving the underlying issues. I'm seeking updates or workarounds to address these security risks effectively. Is it possible that updating to the latest version of https://www.npmjs.com/package/@cypress/request could resolve?

RecklessWave avatar Oct 22 '24 01:10 RecklessWave

Following the suggestion in this thread:

https://github.com/cypress-io/cypress/issues/27261

"NOTE: This is a temporarily work around with npm until tough-cookie dependency version bump is merged. Add the following to package.json:

"overrides": { "tough-cookie": "^4.1.3" }"

I was able to resolve it. However, the other vulnerability remains, seemingly because request-promise-core relies on deprecated request version 2.34.0:

https://github.com/advisories/GHSA-p8p7-x288-28g6

RecklessWave avatar Oct 22 '24 02:10 RecklessWave

Perhaps Request could be replaced with Axios?

RecklessWave avatar Oct 22 '24 02:10 RecklessWave

https://github.com/request/request/issues/3142

I'll give it a look how hard a migration would be

theimo1221 avatar Jan 01 '25 23:01 theimo1221

Thank you! Let me know if I can assist or test in any way.

RecklessWave avatar Jan 01 '25 23:01 RecklessWave

If anyone is working on this, i would like to recommend got or ky.

vyshnav-vinod avatar Jul 01 '25 14:07 vyshnav-vinod