node-vault icon indicating copy to clipboard operation
node-vault copied to clipboard
verified publisher icon nodevault

Vulnerability in sub-dependency json-schema

Open OlikPolik opened this issue 4 years ago • 2 comments

Version of request package you are using has a json-schema sub-dependency which is version 0.2.3 which now has an official vulnerability. Is there any chance you could bump up request version or json-schema version?

Thanks

OlikPolik avatar Nov 24 '21 00:11 OlikPolik

My guess is that this is going to be stuck in the same state as #150 — it doesn't look like node-vault is being maintained anymore, so this won't get fixed. We'll see.

delfuego avatar Nov 29 '21 17:11 delfuego

They can't resolve this cuz the dependency is within the 'request' module which that itself doesn't even have the fix/latest version of 'http-signature'. This vulnerability goes a little deep.

See https://github.com/request/request/issues/3394

HappyZombies avatar Dec 02 '21 18:12 HappyZombies

Heya folks! I'm a new maintainer here (outcome of #150) Will work to resolve the vulnerability soon!

aviadhahami avatar Nov 10 '22 17:11 aviadhahami