Module 'request' (used in test) is depreicated and has a vulnerability #391
Description
Prerequisites
Please answer the following questions before submitting an issue.
YOU MAY DELETE THE PREREQUISITES SECTION.
- I am running the latest version of Node and the tools
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Expected behavior
No vulnerabilities reported by npm install or npm audit
Current behavior
npm install or audit reports a vulnerablility with tough-cookie by way of the 'request' module used for testing. We should use a different module since 'requrest' is deperciated (and 4 years old). See request/request#3143 for alternatives
Steps to Reproduce
run 'npm audit'
Context
- Operating System: Win32
- Node version: v18
- Office version: n/a
- Tool version: n/a
Failure Logs
npm audit report
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/axios
@microsoft/teams-manifest <=0.1.2
Depends on vulnerable versions of axios
node_modules/@microsoft/teams-manifest
@microsoft/teamsfx-api <=0.22.6
Depends on vulnerable versions of @microsoft/teams-manifest
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-api
@microsoft/teamsfx-cli *
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of @microsoft/teamsfx-core
node_modules/@microsoft/teamsfx-cli
office-addin-dev-settings >=1.11.0
Depends on vulnerable versions of @microsoft/teamsfx-cli
node_modules/office-addin-dev-settings
office-addin-debugging >=4.3.10
Depends on vulnerable versions of office-addin-dev-settings
node_modules/office-addin-debugging
@microsoft/teamsfx-core <=2.0.6
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-core
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie
9 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.