Dependance on vulnerable version of request

[aliciagyt]

I currently use version 2.0.0-beta.4 and when I run npm audit fix, it signals me that I have 2 moderate vulnerabilities, one on request and one on tough-cookie, and that fixing them will install brevo@1.0.1 because brevo >=2.0.0-beta.2 depends on vulnerable versions of request.
request being deprecated anyway (source), do you plan to switch to axios or another library soon? Thanks !

[shubhamUpadhyayInBlue]

Hi @aliciagyt
Here is a new version https://www.npmjs.com/package/@getbrevo/brevo/v/2.1.1 which has many critical and high security vulnerabilites issues fixed. Kindly check this out.
Thanks.

[milo-stadion]

@shubhamUpadhyayInBlue I've just updated to 2.1.1 and it still contains the vulnerable version of the request package.

This package has been deprecated since 2020, so you should be looking to move to something new as a priority.

You can see more information about the deprecation here

You can find information about the vulnerability here

[shubhamUpadhyayInBlue]

Hi @milo-stadion
Yes, I agree with you that request module should not be used since it's deprecated. But, since these SDKs are generated using the Openapi generator it's not very straight forward to stop the usage of existing dependency package and keep the SDK backward compatible for all the APIs we support.

It is the same with the remaining Medium level vulnerabilities. However, I have bumped up the versions of other dependencies to fix the Critical and High level vulnerabilities.

However, we will discuss it to come out with a solution to this problem soon.

Thanks.

[milo-stadion]

Thanks @shubhamUpadhyayInBlue