Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Update request to 2.88 #2496

Closed
Gwerlas opened this issue Sep 14, 2018 · 9 comments · Fixed by #2497
Closed

Update request to 2.88 #2496

Gwerlas opened this issue Sep 14, 2018 · 9 comments · Fixed by #2497

Comments

@Gwerlas
Copy link
Contributor

Gwerlas commented Sep 14, 2018

The package extend 3.0.1, which is a dependency of request 2.87 has a vulnerability :
https://hackerone.com/reports/381185

Is it possible to upgrade ro request 2.88 which has fix his own package.json to use the fixed extend 3.0.2 ?
@xzyfer
Copy link
Contributor

xzyfer commented Sep 14, 2018 via email

@Gwerlas Gwerlas mentioned this issue Sep 17, 2018
Merged
xzyfer pushed a commit that referenced this issue Sep 17, 2018
@xzyfer
Upgrade request package to v.2.88
746759c 
The package `extend 3.0.1`, which is a dependency of `request 2.87` has a vulnerability :
https://hackerone.com/reports/381185

Upgrade `request` to v.2.88 will install `extend` v.3.0.2, the fixed version.

Fix #2496
@drakonen
Copy link

Is there a release with this fix?

@Gwerlas
Copy link
Contributor Author

Gwerlas commented Sep 18, 2018

Not yet.

I don't know who can make a new release.

@drakonen
Copy link

@xzyfer Is there a release planned with this fix? I'd like to use a release instead of a git commit in my package.json.

@danconnell
Copy link

Sorry to do this, but: @xzyfer @andre @deanmao @bwilkins @keithamus @LaurentGoderre @nschonni @adamyeats @am11

Can someone please release this to npm?

@xzyfer
Copy link
Contributor

xzyfer commented Oct 15, 2018

v4.9.4 released

@gaz77a
Copy link

gaz77a commented Apr 23, 2019

angular/angular#21202
As you can see in the link above, there is a similar issue where upgrading request module from 2.87.0 to 2.88.0 also introduces the punycode module v2.1.1 which dropped support for IE11 in v2.0.0.

├─┬ node-sass@3.13.1
│ └─┬ request@2.88.0
│   ├─┬ har-validator@5.1.3
│   │ └─┬ ajv@6.10.0
│   │   └─┬ uri-js@4.2.2
│   │     └── punycode@2.1.1

Can you suggest how we can fix this for node-sass@3.13.1 without upgrading it to a major version.

@nschonni
Copy link
Contributor

The version of request that node-sass uses should have no affect on your application if you require a particular version for your app. EX: set your request version in you package.json and NPM will separate out node-sass and your apps version

@gaz77a
Copy link

gaz77a commented Apr 23, 2019

Thanks @nschonni, your suggestion worked perfectly! I'm certainly impressed by the quick turnaround of the contributors of this project :)

@snyk-bot snyk-bot mentioned this issue Sep 12, 2019
Open
jiongle1 pushed a commit to scantist-ossops-m2/node-sass that referenced this issue Apr 7, 2024
@mgreter
Merge pull request sass#2496 from mgreter/bugfix/issue-2465
c46396a 
Implement exponents for numbers
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade request package to v.2.88
6 participants
@drakonen @xzyfer @nschonni @gaz77a @danconnell @Gwerlas