Request dependency causes security risk
See original GitHub issueWe are seeing security issues related to a vulnerability in request
due to it’s reliance on hawk
which uses the vulnerable hoek
. I am opening up this issue so that when request
updates to v7.x.x of hawk
, less
can be updated.
less@3.0.0
> request@2.83.0
> hawk@6.0.2 > hoek@4.2.0
https://nodesecurity.io/advisories/566 https://hackerone.com/reports/310439
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Vulnerabilities in Dependencies: What You Need to Know
The risk of using dependencies with known vulnerabilities has been included in the OWASP top 10 list of security risks. It has been...
Read more >How External Dependencies Put Your Apps at Risk
It is possible to check for known vulnerabilities in third party libraries and frameworks. Using software component analysis, you can review all the...
Read more >Handling Project Dependencies with Security Issues - Matillion
Handling Project Dependencies with Security Issues · 1. Determine whether the dependency is used. · 2. Determine how the dependency is used. ·...
Read more >Controlling the Node.js Security Risk of NPM Dependencies
The questions above primarily reflect the risk of a future problem. However, your dependencies may be bringing in some security flaws right now!...
Read more >Security concerns with using third-party dependencies
Importing libraries that developers abandoned is another security risk to consider with third-party dependencies. Most abandoned projects have ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I personally would prefer to keep this open and resolve the ticket once this future PR is merged. People finding this issue would then see it open and not create another issue.
@hughns If this addresses the plugin issue, then 3.0.3 can be published soon - https://github.com/less/less.js/pull/3200. Just waiting on review from @seven-phases-max. More collaborators for Less are always welcome!