SHA-1 Weak Authentication Algorithm vulnerability in dependency "request" about appmetrics HOT 6 OPEN

Thanks for this. The solution would be to update our depenceny to a version of node-gyp that doesn't require a version of request. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request at a level of ^2.88.2. Can you tell me if that version of request still has that vulnerability please?

from appmetrics.

Acording to request/request#2640 it looks like all versions of request are vulnerable. Solution is therefore to get node-gyp to move away from request. It looks like they already have an issue open for that, nodejs/node-gyp#2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.

from appmetrics.

Thanks for the response. How about the other 2 versions request from other 2 package?

"request": "^2.72.0" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

and
"request": "^2.83.0" --> kubernetes-client" --> "ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

from appmetrics.

Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client

from appmetrics.

Hi @mattcolegate , it seems like nodejs/node-gyp#2220 solved issue nodejs/node-gyp#2047 migrating requests to fetch.
When do you plan to use the nodejs version containing the fix ?

from appmetrics.

Hi @donacarr, looks like this is going into node-gyp v8.0.0 nodejs/node-gyp#2346 - when that version releases we can start looking to pull it into appmetrics

from appmetrics.