Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency request is missing and vulnerable #1584

Open
SNThrailkill opened this issue Apr 9, 2024 · 6 comments · May be fixed by #1590
Open

Dependency request is missing and vulnerable #1584

SNThrailkill opened this issue Apr 9, 2024 · 6 comments · May be fixed by #1590
Assignees
@leahecole
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@SNThrailkill
Copy link

Environment details

  • OS: MacOS 14.4.1
  • Node.js version: 20.11.1
  • npm version: 10.2.4
  • gax-nodejs version: 4.3.1

Steps to reproduce

  1. Add @google-cloud/pubsub as a dependency to any project
  2. Run npm install
  3. Run npm run build or equivalent

Error

⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '/app/node_modules/google-gax/build/src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-cloud/pubsub/build/src/index.js
./src/app/my/code/pubsub.ts

Workaround
Add request as a dependency of the project by running npm install request --save

Additional Issue
On top of being missing from this package, the request package has been deprecated for 4 years and is vulnerable due to its reliance on the tough-cookie package that has well known vulnerabilities (Link 1, Link 2, Link 3).
@SNThrailkill SNThrailkill added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Apr 9, 2024
@TrygveDev
Copy link

Same issue here when adding the @google-analytics/data as a dependency.

Environment details

  • OS: Windows 11
  • Node: 20.11.1
  • npm: 10.4.0
  • google-gax: 4.3.2

Error

 ⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '-\node_modules\google-gax\build\src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-analytics/data/build/src/v1alpha/alpha_analytics_data_client.js
./node_modules/@google-analytics/data/build/src/v1alpha/index.js
./node_modules/@google-analytics/data/build/src/index.js
./-

@SNThrailkill
Copy link
Author

SNThrailkill commented Apr 15, 2024
edited

Hey @alexander-fenster can you add a security tag to this issue?

@nicole0707
Copy link

Given that there is an existing dependency node-fetch https://github.com/googleapis/gax-nodejs/blob/main/gax/package.json#L19, could we just swap request to node-fetch?

@nicole0707
Copy link

nicole0707 commented Apr 24, 2024
edited

If the intent is that a request library must be provided to retry-request, would it be sufficient to throw an error here instead of requiring a module that is not a dependency?

@wvanderdeijl wvanderdeijl linked a pull request Apr 24, 2024 that will close this issue
Open
4 tasks
@wvanderdeijl
Copy link

I have submitted PR #1590 to use teeny-request instead of request. The retry-request module that needs one of these dependencies also advices to use teeny-request instead of request and already has its own dependency on retry-request, so retry-request is already a (transitive) dependency of google-gax

@ThulinaWickramasinghe
Copy link

I've faced a similar issue. I'm working on a Next.js project using Next 14 app router. I also came across this.

https://www.reddit.com/r/react/comments/tqv6gv/facing_breaking_change_webpack_5_used_to_include/

@leahecole leahecole self-assigned this May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leahecole leahecole

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: use teeny-request instead of deprecated request dependency wvanderdeijl/gax-nodejs
6 participants
@SNThrailkill @leahecole @wvanderdeijl @TrygveDev @ThulinaWickramasinghe @nicole0707