Deprecated request and request-promise packages leading to vulnerability in tough-cookie module #1231
Comments
|
Following the suggestion in this thread: "NOTE: This is a temporarily work around with npm until tough-cookie dependency version bump is merged. Add the following to package.json: "overrides": { I was able to resolve it. However, the other vulnerability remains, seemingly because request-promise-core relies on deprecated request version 2.34.0: |
|
Perhaps Request could be replaced with Axios? |
|
I'll give it a look how hard a migration would be |
|
Thank you! Let me know if I can assist or test in any way. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On the latest version, 0.66, node-telegram-bot-api relies on deprecated request and request-promise packages, which depend on a vulnerable tough-cookie version (GHSA-p8p7-x288-28g6).
npm audit suggests only temporary fixes, without resolving the underlying issues. I'm seeking updates or workarounds to address these security risks effectively. Is it possible that updating to the latest version of https://www.npmjs.com/package/@cypress/request could resolve?
The text was updated successfully, but these errors were encountered: