-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request dependency causes security risk #3184
Comments
Please just create a PR when this happens. |
I'll keep my eye out for it and create that PR |
Closing to not keep thing piling up. |
I personally would prefer to keep this open and resolve the ticket once this future PR is merged. People finding this issue would then see it open and not create another issue. |
Could be or could be not. So far nothing can be done at the Less side so this is not even an issue at this repo (I have to close every ~second issue here as a dupicate anyway so this is not a problem at all, as well as not a problem to re-open one when it becomes applicable). |
@seven-phases-max The dependency on request was updated in bd2a93f#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 which brings in a non-vulnerable version. However, |
Actually, this should probably be considered a duplicate of #3169 |
@hughns If this addresses the plugin issue, then 3.0.3 can be published soon - #3200. Just waiting on review from @seven-phases-max. More collaborators for Less are always welcome! |
We are seeing security issues related to a vulnerability in
request
due to it's reliance onhawk
which uses the vulnerablehoek
. I am opening up this issue so that whenrequest
updates to v7.x.x ofhawk
,less
can be updated.less@3.0.0
>request@2.83.0
>hawk@6.0.2 > hoek@4.2.0
https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439
The text was updated successfully, but these errors were encountered: