Using outdated Request module

[J4Numbers]

The Request module that is currently being used by the project (2.74.0) is using a vulnerable release of Hawk (with Hoek as a deep dependency) according to the NSP checker.

The Request module has patched this in version 2.82.0 of their project, could you update using this version as a minimum? Thanks.

[frankrousseau]

The fix is published as 0.6.3 version. But it doesn't work any more with Node 0.10.

[smashwilson]

It looks like [email protected] has another vulnerability reported against a dependency:

$ npm ls cryptiles
[email protected] /Users/smashwilson/src/atom/github
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

CVE-2018-1000620

Digging around, it looks like request has removed hawk as a dependency in 2.87 (request/request#2943). Request 2.88 also updated a bunch of other dependencies to resolve security vulnerabilities.

Would it be possible to publish another dependency-upgrade version? Alternately and additionally: is there any way the version specifiers in this package's dependencies could be relaxed? Currently both are specified as exact matches.

[frankrousseau]

I will have a look at it. I don't have the rights on the repo but I may have the rights to publish a new version.

[frankrousseau]

I published a new version (0.6.4). Can you tell me if everything is ok?