Request dependency <=2.68 opens to potential memory exposure vulnerability

[evilaliv3]

Do you want to request a feature or report a bug?
This ticket is to report a a potential security vulnerability caused by the request dependency.

What is the current behavior?
Various of the dependencies used by angular.js make use of a vulnerable version of the request package (<2.68) that allow potential memory exposure.

Involved dependencies are: insight, fsevents

details:

• https://snyk.io/vuln/npm:request:20160119
• Update request to 2.74.0 sindresorhus/insight#48
• Request dependency <=2.68 opens to potential memory exposure vulnerability fsevents/fsevents#145

In order to address a short term fix it is suggested to modify the current npm shrinkwrap to use request==2.74.0

[vicb]

It should be a dev dependency only ?

[evilaliv3]

sure it is, but for relevant projects like angular impacting the core developers is even more risky for the whole community.

[dblVs]

@alexeagle just checked the yarn lock and the installed version of request is 2.88.0 and 2.74.0 and most outdated dependency is ^2.72.0 if that matters at all. can this be closed?

edit:

first required request

angular/yarn.lock

Line 9280 in 6f5d910

request@^2.72.0, request@^2.74.0, request@^2.79.0, request@^2.81.0, request@^2.85.0, request@^2.88.0:

second required request

angular/yarn.lock

Line 9306 in 6f5d910

request@~2.74.0:

[M-a-c-Carter]

@evilaliv3
@IgorMinar
heartbeat