Comments (6)
Thanks for this. The solution would be to update our depenceny to a version of node-gyp
that doesn't require a version of request
. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request
at a level of ^2.88.2
. Can you tell me if that version of request
still has that vulnerability please?
from appmetrics.
Acording to request/request#2640 it looks like all versions of request
are vulnerable. Solution is therefore to get node-gyp
to move away from request
. It looks like they already have an issue open for that, nodejs/node-gyp#2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.
from appmetrics.
Thanks for the response. How about the other 2 versions request from other 2 package?
"request": "^2.72.0"
-->"ibmapm-restclient"
--> "ibmapm-embed"
--> "appmetrics"
and
"request": "^2.83.0"
--> kubernetes-client"
--> "ibmapm-restclient"
--> "ibmapm-embed"
--> "appmetrics"
from appmetrics.
Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client
from appmetrics.
Hi @mattcolegate , it seems like nodejs/node-gyp#2220 solved issue nodejs/node-gyp#2047 migrating requests to fetch.
When do you plan to use the nodejs version containing the fix ?
from appmetrics.
Hi @donacarr, looks like this is going into node-gyp v8.0.0 nodejs/node-gyp#2346 - when that version releases we can start looking to pull it into appmetrics
from appmetrics.
Related Issues (20)
- Including appmetrics breaks promisified setTimeout HOT 1
- Windows automated tests broken on all node versions except 10
- Unable to install appmetrics HOT 15
- Probably stupid question, but is it supposed to run via HTTPS? HOT 17
- Build fails with GCC version 10.1.0 HOT 4
- Outdated node-gyp dependency throws error upon npm i HOT 1
- monitor HTTP HOT 2
- install appmetrics failed with node 14 HOT 5
- 5.1.1 segfaults node HOT 2
- Warnings emitted on Node 14 HOT 7
- Error with node:14-alpine3.13 image HOT 3
- incompatible with socket.io@3 and @4 - Exception thrown "TypeError: Cannot read property 'on' of undefined" HOT 5
- unable to install on Fedora 34 HOT 5
- Unable to install library from npm HOT 5
- Error with node:14.17.6-alpine3.14 image HOT 1
- Prototype pollution vulnerability in `[email protected]`
- Can't compile HOT 2
- is this being maintained? HOT 2
- Error omr-agentcore/libhcmqtt.so , I cannot install package on docker node bullseys-slim:18.10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appmetrics.