box-node-sdk Request is deprecated

box-node-sdk is using request 2.88.2 but that library is deprecated as of Feb 11th 2020

Are there any plans to have it replaced ?

Additional reason is that request is using other libraries that contain vunerabilities like CVE-2021-44907 making this library being reported as vunerable

🔴 CVE-2021-44907 (CVSS3: 7.5) Severity: (HIGH) 
Component: qs-6.5.3 (Transitive)
Dependency path: box-node-sdk-2.0.0 >>> request-2.88.2 >>> qs-6.5.3
Fix: Upgrade to version qs - 6.8.1

i know qs claims this as a false positive , nevertheless as request will not be updated anymore, it's better to move away from it

thanks

Mar 28 '22 09:03 huineng

Hi @huineng

We plan to replace request with axios in the future. However, I cannot tell you exactly when this will be done ATM.

Thanks, Mateusz

Mar 28 '22 14:03 mwwoda

Hi, there was recently a vulnerability reported in request versions <= 2.88.. Wondering if this library will be replaced soon with axios? CVE-2023-28155

Mar 20 '23 12:03 emilydoran1

Hi,

We are aware of the reported vulnerability in the requests library. Currently we are working on the enhanced version of Typescript SDK which is going to fix the above mentioned vulnerability. However, work for this is still in progress and you can expect that SDK around July/August 2023 timeframe.

Mar 20 '23 14:03 mgrytsai

Hi, this is was marked as completed, but I still see request as a dependency in this package; please confirm if this has been fixed, or if it has been incorrectly marked as completed.

Apr 03 '23 12:04 emilydoran1

Hi,

The issue is closed, but it's not implemented.

Currently we are working on the enhanced version of Typescript SDK which is going to fix the above mentioned vulnerability as it will use node-fetch or axios library for networking.

Apr 03 '23 13:04 mgrytsai