replace request with request-util, update packages (#415)

razee-io · Apr 12, 2023 · 08199d2 · 08199d2
1 parent db032f4
commit 08199d2
Show file tree

Hide file tree

Showing 8 changed files with 1,419 additions and 580 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -15,7 +15,7 @@ jobs:
      arch: amd64
      script:
        # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
-       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit; else npm audit || true; fi
+       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config audit-ci.json; else npx audit-ci --config audit-ci.json || true; fi
        - npm run lint
        - npm test
        - if [[ $TRAVIS_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
@@ -47,7 +47,7 @@ jobs:
      arch: ppc64le
      script:
        # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
-       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit; else npm audit || true; fi
+       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config audit-ci.json; else npx audit-ci --config audit-ci.json || true; fi
        - npm test
        - if [[ $TRAVIS_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
        - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-ppc64le" .
@@ -79,7 +79,7 @@ jobs:
      arch: s390x
      script:
        # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
-       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit; else npm audit || true; fi
+       - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config audit-ci.json; else npx audit-ci --config audit-ci.json || true; fi
        - npm test
        - if [[ $TRAVIS_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
        - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-s390x" .

diff --git a/audit-ci.json b/audit-ci.json
@@ -0,0 +1,17 @@
+{
+    "low": true,
+    "_allowlistInfo": [
+      {
+        "advisory": "GHSA-p8p7-x288-28g6",
+        "details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
+        "justification1": "Request package is deprecated and unlikely to receive updates.",
+        "justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.",
+        "expiry": "28 April 2023 00:00"
+      }
+    ],
+    "allowlist": [
+      "GHSA-p8p7-x288-28g6"
+    ],
+    "skip-dev": true
+  }
+