Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Transitive security vulnerability via http-signature

See original GitHub issue

Summary

request has a transitive security vulnerability via http-signature https://github.com/advisories/GHSA-896r-f27r-55mw

Simplest Example to Reproduce

# npm audit report

json-schema  <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw

node_modules/json-schema
  jsprim  0.3.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim
    http-signature  1.0.0 - 1.3.5
    Depends on vulnerable versions of jsprim
    node_modules/http-signature
      request  >=2.66.0
      Depends on vulnerable versions of http-signature

Expected Behavior

request depends on http-signature with the security fix, i.e. ~1.3.6 https://github.com/joyent/node-http-signature/pull/125

Current Behavior

request 2.88.2 depends on the vulnerable http-signature 1.2.0

Possible Solution

Bump dependency version

Context

parcel 2.0.1 transitively depends on request

└─┬ parcel@2.0.1
  └─┬ @parcel/config-default@2.0.1
    └─┬ @parcel/optimizer-htmlnano@2.0.1
      └─┬ htmlnano@1.1.1
        └─┬ uncss@0.17.3
          └─┬ request@2.88.2
            └─┬ http-signature@1.2.0
              └─┬ jsprim@1.4.1
                └── json-schema@0.2.3

Your Environment

software	version
request	2.88.2
node	17.0.1
npm	8.1.0
Operating System	macOS 12.0.1

Issue Analytics

State:
Created 2 years ago
Reactions:15
Comments:9

Top GitHub Comments

7reactions

RopoMencommented, Dec 1, 2021

@mikeal as stated here https://github.com/request/request/issues/3142

Maintenance Mode

The committers that are still active will try to merge fixes in a timely fashion, no promises though.

Yes, “timely fashion, no promises though”, but PLEASE take these security issues seriously or mark this project completely deprecated and unmaintained so that developers start to migrate away from request.

I understood that this project has all required features so there is “nothing to do”, except maintenance. So, unless no one is actually doing active maintenance, please deprecate whole library. In my project migrating from away from request for example axios would take about 2-3 weeks to get all changes done and tests pass.

5reactions

felix-hclcommented, Dec 9, 2021

Thankfully there was a backport in jsprim@1.4.2 which is compatible with http-signature@1.2.0 and therefore this can be resolved without any action in request:

  └─┬ request@2.88.2
    └─┬ http-signature@1.2.0
      └─┬ jsprim@1.4.2
        └── json-schema@0.4.0

to mitigate it in your project simply run the following commands (as long as jsprim is not a main dependency of your project)

npm install --save jsprim@1.4.2
npm ddp
npm uninstall --save jsprim
npm ls json-schema

Top Results From Across the Web

Easily fixing security vulnerabilities in transitive dependencies ...

Easily fixing security vulnerabilities in transitive dependencies with Yarn. It's 4:30 on a Friday and GitHub hits you with one of these:.

Transitive Access & Client-Side Attacks: Definition, Examples ...

This lesson examines what transitive access and client-side attacks are, ... This security flaw also makes user-led client-side attacks more difficult to ...

Security Considerations for HTTP Signatures - Web Payments

The HTTP Signature Nonces specification describes a way to use the HTTP ... vulnerabilities that apply for HTTP apply for HTTP Signatures used...

Transitive and Client-side Attacks - CompTIA Security+ SY0-401

And unfortunately, when you build a hole and build access into a firewall, you can have a lot more than just what you...

Vulnerabilities found in the JavaScript - http-signature library

http-signature Vulnerability Data ... Learn more about our SCA solution. Schedule a Demo. Verified Security Data. The most accurate and complete database of ......