Request dependency causes security risk

[lyndsey-ferguson]

We are seeing security issues related to a vulnerability in request due to it's reliance on hawk which uses the vulnerable hoek. I am opening up this issue so that when request updates to v7.x.x of hawk, less can be updated.

less@3.0.0 > request@2.83.0 > hawk@6.0.2 > hoek@4.2.0

https://nodesecurity.io/advisories/566
https://hackerone.com/reports/310439

[seven-phases-max]

Please just create a PR when this happens.

[lyndsey-ferguson]

I'll keep my eye out for it and create that PR

[seven-phases-max]

Closing to not keep thing piling up.

[lyndsey-ferguson]

I personally would prefer to keep this open and resolve the ticket once this future PR is merged. People finding this issue would then see it open and not create another issue.

[seven-phases-max]

Could be or could be not. So far nothing can be done at the Less side so this is not even an issue at this repo (I have to close every ~second issue here as a dupicate anyway so this is not a problem at all, as well as not a problem to re-open one when it becomes applicable).

[hughns]

@seven-phases-max The dependency on request was updated in bd2a93f#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 which brings in a non-vulnerable version. However, less@3.0.2 has yet to be released in npm form. Is there a plan to release this to npm?

[hughns]

Actually, this should probably be considered a duplicate of #3169

[matthew-dean]

@hughns If this addresses the plugin issue, then 3.0.3 can be published soon - #3200. Just waiting on review from @seven-phases-max. More collaborators for Less are always welcome!