Skip to content

Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) #812

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
gustaff-weldon opened this issue May 30, 2022 · 3 comments
Closed

Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) #812

gustaff-weldon opened this issue May 30, 2022 · 3 comments

Comments

@gustaff-weldon
Copy link

gustaff-weldon commented May 30, 2022
edited
Loading

Describe the bug
This client depends on no longer maintained request dependency.

Screenshot 2022-05-30 at 14 15 31

The path to upgrade was described in request/request#3142

This client is linked from Officially-supported Kubernetes client libraries page and as such will be widely used by developers who unknowingly will introduce vulnerability.

request brings in a dependency chain with json-schema with a critical vulnerability reported:

Screenshot 2022-05-30 at 14 10 24

** Client Version **
0.16.3

To Reproduce

  • yarn init
  • yarn add @kubernetes/client-node
  • yarn why json-schema -R

Expected behavior
No dependency on vulnerable json-schema version < 0.4.0

Environment (please complete the following information):
Any

Additional context
Github advisory entry for json-schema:
CVE-2021-3918 (GHSA-896r-f27r-55mw)
@gustaff-weldon gustaff-weldon changed the title Replace outdated request dependency that introduces critical vulnerability in json-schema Replace outdated request dependency that introduces critical vulnerability in json-schema (CVE-2021-3918) May 30, 2022
@Timothy-Dement
Copy link

Timothy-Dement commented May 30, 2022
edited
Loading

This looks like it will resolve the following warnings:

> $ npm install @kubernetes/client-node
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

Although uuid is also listed under:

So that warning may require additional package updates to fully resolve.

@brendandburns
Copy link
Contributor

This is a duplicate of #414 there is a long discussion there.

Additionally there is documentation for the migration path here:
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md

The fetch migration has slowed because this is a community supported project. If someone wants to help with the migration, we would be very happy to have the help.

Thanks!

@gustaff-weldon
Copy link
Author

@brendandburns that discussion is over 2 years old and looks to be stalled.
At this stage, this client should not be a recommended one anymore as it introduces critical security errors.

What is your recommendation for people who need to use Kubernetes API from Node?

@gustaff-weldon gustaff-weldon mentioned this issue Jun 6, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gustaff-weldon @brendandburns @Timothy-Dement