onebeyond
FEATURE: Upgrade dependency superagent to v9.0.0+ to include vulnerability fix
The package rascal version 19.0.0 referencing a dependency superagent which has vulnerability
Detailed Description
When "npm install" a package using rascal version 19.0.0 , npm reports:
npm WARN deprecated [email protected]: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
Context
To avoid vulnerability CVE-2022-29622
Possible Implementation
Upgrade dependency [email protected] or newer.
Your Environment
- Version used: 19.0.0
- Environment name and version (e.g. Chrome 39, node.js 5.4): node.js v20.11.1 ; npm version 10.2.4
- Operating System and version (desktop or mobile): MAC desktop
- Link to your project:
Hi @CrystalSu,
I'm not sure why you're seeing [email protected] - rascal depends on ^8.0.9. Irrespective a similar message is displayed on npm install
npm WARN deprecated [email protected]: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
The fact that [email protected] requires Node v14.18.0+ is annoying. Rascal currently requires Node v14.0.0+
Since the vulnerability in formidable cannot actually affect Rascal, I'm going to take some time to look for an alternative http client.
I've removed superagent in favour of Node's http.request. One consequence will be that the management client will not follow redirects. If this causes an issue I will consider using https://www.npmjs.com/package/follow-redirects