Request package vulnerable to SSRF

Snyk has identified an issue with the request module being used by jsforce. 

https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831 

--- 
Overview
[request](https://www.npmjs.com/package/request) is a simplified http request client. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: This package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.
---

I understand the switch away from using request is queued up for V2 but given this vulnerability can it be moved forward?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Request package vulnerable to SSRF #1312

NOTE: This package has been deprecated, so a fix is not expected. See request/request#3142.

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Request package vulnerable to SSRF #1312

Description

NOTE: This package has been deprecated, so a fix is not expected. See request/request#3142.

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions