Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module 'request' (used in test) is depreicated and has a vulnerability #391

Open
1 of 3 tasks
millerds opened this issue Jan 24, 2024 · 0 comments
Open
1 of 3 tasks

Module 'request' (used in test) is depreicated and has a vulnerability #391

millerds opened this issue Jan 24, 2024 · 0 comments
Labels
Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP

Comments

@millerds
Copy link
Contributor

Prerequisites

Please answer the following questions before submitting an issue.
YOU MAY DELETE THE PREREQUISITES SECTION.

  • I am running the latest version of Node and the tools
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Expected behavior

No vulnerabilities reported by npm install or npm audit

Current behavior

npm install or audit reports a vulnerablility with tough-cookie by way of the 'request' module used for testing. We should use a different module since 'requrest' is deperciated (and 4 years old). See request/request#3143 for alternatives

Steps to Reproduce

run 'npm audit'

Context

  • Operating System: Win32
  • Node version: v18
  • Office version: n/a
  • Tool version: n/a

Failure Logs

npm audit report

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install office-addin-debugging@4.3.9, which is a breaking change
node_modules/axios
@microsoft/teams-manifest <=0.1.2
Depends on vulnerable versions of axios
node_modules/@microsoft/teams-manifest
@microsoft/teamsfx-api <=0.22.6
Depends on vulnerable versions of @microsoft/teams-manifest
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-api
@microsoft/teamsfx-cli *
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of @microsoft/teamsfx-core
node_modules/@microsoft/teamsfx-cli
office-addin-dev-settings >=1.11.0
Depends on vulnerable versions of @microsoft/teamsfx-cli
node_modules/office-addin-dev-settings
office-addin-debugging >=4.3.10
Depends on vulnerable versions of office-addin-dev-settings
node_modules/office-addin-debugging
@microsoft/teamsfx-core <=2.0.6
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-core

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

9 moderate severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@millerds