Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update simple-get dependency ^3.0.3 to ^4.0.1 #2223

Closed
wants to merge 4 commits into from
Closed

Update simple-get dependency ^3.0.3 to ^4.0.1 #2223

wants to merge 4 commits into from

Conversation

YuMuuu
Copy link

@YuMuuu YuMuuu commented Apr 3, 2023
edited
Loading

I've updated the versionof simple-get module due to security issue.

versions bellow 4.0.1 have a vulnerability that leaks cookie headers to third-party sites.

url: https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/

  • Have you updated CHANGELOG.md?

@YuMuuu YuMuuu changed the title Update single-get dependency ^3.0.3 to ^4.0.1 Update sinple-get dependency ^3.0.3 to ^4.0.1 Apr 3, 2023
@YuMuuu YuMuuu changed the title Update sinple-get dependency ^3.0.3 to ^4.0.1 Update simple-get dependency ^3.0.3 to ^4.0.1 Apr 3, 2023
@piranna
Copy link
Contributor

piranna commented Apr 4, 2023

I think it should be replaced by built-in fetch API.

@chearon
Copy link
Collaborator

chearon commented Apr 4, 2023

I think it should be replaced by built-in fetch API.

That's only in node 17+

This PR bumps up the node version too, but we currently support node 8+, so I don't think we can merge yet.

@LinusU
Copy link
Collaborator

LinusU commented Apr 4, 2023

This PR bumps up the node version too, but we currently support node 8+, so I don't think we can merge yet.

Yes, this would be a breaking change.

https://huntr.dev/bounties/42c79c23-6646-46c4-871d-219c0d4b4e31/

The way that this package is using simple-get is not vulnerable to this issue since there isn't a way to set the cookie or authorization header in the first place.

Long term it would be nice to use the built-in fetch.

Node.js 16.x goes end-of-life on the 11th of september:

https://nodejs.org/en/blog/announcements/nodejs16-eol

If version 3.0.0 of Canvas is released on or after that date we should be able to support only 18+ and thus use the built-in fetch...

@YuMuuu
Copy link
Author

YuMuuu commented Apr 5, 2023

umm...
I understanded impossible "versin up simple-get" and "unuse simple-get".
But I don't think you should rely on vulnerable libraries even if they have no direct repercussions.

Do you have any other good ideas?

@chearon
Copy link
Collaborator

chearon commented Apr 5, 2023

But I don't think you should rely on vulnerable libraries even if they have no direct repercussions.

It's not really a vulnerability if there's no way to exploit it

@YuMuuu
Copy link
Author

YuMuuu commented Apr 5, 2023
edited
Loading

I got it. This PR will be closed. Thanks for your support. 🥰
I'll issue a PR to fix it to use fetch soon.

@YuMuuu YuMuuu closed this Apr 5, 2023
@YuMuuu YuMuuu mentioned this pull request Nov 27, 2023
Open
1 task
This was referenced Jan 25, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@YuMuuu @piranna @chearon @LinusU