Security Issue with request 2.88 in @looker/sdk and @looker/sdk-rtl #1439
Assignees
Labels
Comments
|
|
|
I case someone needs a quick fix for this issue, the cypress team maintains a fork with a fix. You can get it into your project by using npm overrides in package.json |
|
@xiel thanks for the solution! This works fine for me when I run my project locally, however as soon as it runs in a Docker container, it fails:
Really struggling to find a way to fix this, do you have any ideas? |
|
@smartin88 That difference between local and docker is weird. Which package manager do you use? How are the node_modules installed into the docker container? Do you install from inside the docker container or copy the modules from outside in? I am wondering if it might be related to symlinks... Bit hard to debug from the outside... |
|
Hey @xiel, we use pnpm as our package manager, and the modules are compiled and then copied from outside into the Docker container. Thanks for the thoughts regarding symlinks...appreciate this is hard to debug from outside, I will look at that as a possible issue |
jkaster
added
typescript
jeremytchang
added
go
jkaster
added a commit
that referenced
this issue
Sep 10, 2024
Removes the request package from all TypeScript SDK packages - Requires Node v22 - For browser, uses the standard `fetch` function - For NodeJS, uses Node v22 global `fetch` function - See README updates in the TypeScript SDKs for more information Addresses #1439
Merged
drstrangelooker
pushed a commit
that referenced
this issue
Sep 11, 2024
🤖 I have created a release *beep* *boop* --- <details><summary>api-explorer: 0.9.65</summary> ## [0.9.65](api-explorer-v0.9.64...api-explorer-v0.9.65) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/code-editor bumped from 0.1.31 to 0.1.32 * @looker/extension-utils bumped from 0.1.41 to 0.1.42 * @looker/run-it bumped from 0.9.64 to 0.9.65 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-codegen bumped from 21.9.0 to 21.9.1 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * devDependencies * @looker/sdk-codegen-scripts bumped from 21.5.21 to 21.5.22 * @looker/sdk-node bumped from 24.14.0 to 24.16.0 </details> <details><summary>code-editor: 0.1.32</summary> ## [0.1.32](code-editor-v0.1.31...code-editor-v0.1.32) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * devDependencies * @looker/sdk-codegen bumped from 21.9.0 to 21.9.1 </details> <details><summary>@looker/extension-api-explorer: 22.21.22</summary> ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/api-explorer bumped from 0.9.64 to 0.9.65 * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/extension-sdk-react bumped from 24.14.0 to 24.16.0 * @looker/extension-utils bumped from 0.1.41 to 0.1.42 * @looker/run-it bumped from 0.9.64 to 0.9.65 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-codegen bumped from 21.9.0 to 21.9.1 </details> <details><summary>extension-playground: 1.0.22</summary> ## [1.0.22](extension-playground-v1.0.21...extension-playground-v1.0.22) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/extension-sdk-react bumped from 24.14.0 to 24.16.0 * @looker/sdk bumped from 24.14.0 to 24.16.0 </details> <details><summary>extension-tile-playground: 1.1.9</summary> ## [1.1.9](extension-tile-playground-v1.1.8...extension-tile-playground-v1.1.9) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/extension-sdk-react bumped from 24.14.0 to 24.16.0 * @looker/sdk bumped from 24.14.0 to 24.16.0 </details> <details><summary>extension-utils: 0.1.42</summary> ## [0.1.42](extension-utils-v0.1.41...extension-utils-v0.1.42) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/code-editor bumped from 0.1.31 to 0.1.32 * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/extension-sdk-react bumped from 24.14.0 to 24.16.0 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>hackathon: 22.21.24</summary> ## [22.21.24](hackathon-v22.21.23...hackathon-v22.21.24) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/code-editor bumped from 0.1.31 to 0.1.32 * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/extension-sdk-react bumped from 24.14.0 to 24.16.0 * @looker/extension-utils bumped from 0.1.41 to 0.1.42 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * @looker/wholly-artifact bumped from 0.1.22 to 0.1.23 </details> <details><summary>run-it: 0.9.65</summary> ## [0.9.65](run-it-v0.9.64...run-it-v0.9.65) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/code-editor bumped from 0.1.31 to 0.1.32 * @looker/extension-utils bumped from 0.1.41 to 0.1.42 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-codegen bumped from 21.9.0 to 21.9.1 * @looker/sdk-codegen-utils bumped from 21.0.11 to 21.0.12 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>sdk-codegen: 21.9.1</summary> ## [21.9.1](sdk-codegen-v21.9.0...sdk-codegen-v21.9.1) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * devDependencies * @looker/sdk-codegen-utils bumped from 21.0.11 to 21.0.12 </details> <details><summary>sdk-codegen-scripts: 21.5.22</summary> ## [21.5.22](sdk-codegen-scripts-v21.5.21...sdk-codegen-scripts-v21.5.22) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-codegen bumped from 21.9.0 to 21.9.1 * @looker/sdk-codegen-utils bumped from 21.0.11 to 21.0.12 * @looker/sdk-node bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>sdk-codegen-utils: 21.0.12</summary> ## [21.0.12](sdk-codegen-utils-v21.0.11...sdk-codegen-utils-v21.0.12) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * devDependencies * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * @looker/sdk bumped from 24.12.1 to 24.16.0 * @looker/sdk-node bumped from 24.12.1 to 24.16.0 </details> <details><summary>sdk-rtl: 21.6.2</summary> ## [21.6.2](sdk-rtl-v21.6.1...sdk-rtl-v21.6.2) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) </details> <details><summary>wholly-artifact: 0.1.23</summary> ## [0.1.23](wholly-artifact-v0.1.22...wholly-artifact-v0.1.23) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * @looker/sdk bumped from 24.14.0 to 24.16.0 * devDependencies * @looker/sdk-node bumped from 24.14.0 to 24.16.0 </details> <details><summary>wholly-sheet: 0.5.61</summary> ## [0.5.61](wholly-sheet-v0.5.60...wholly-sheet-v0.5.61) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * devDependencies * @looker/sdk-node bumped from 24.14.0 to 24.16.0 </details> <details><summary>sdk-codegen-all: 24.16.0</summary> ## [24.16.0](sdk-codegen-all-v24.14.0...sdk-codegen-all-v24.16.0) (2024-09-11) ### Features * generate SDKs for Looker 24.16 ([#1499](#1499)) ([109839d](109839d)) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) </details> <details><summary>looker_sdk: 24.16.0</summary> ## [24.16.0](looker_sdk-v24.14.0...looker_sdk-v24.16.0) (2024-09-11) ### Features * generate SDKs for Looker 24.16 ([#1499](#1499)) ([109839d](109839d)) </details> <details><summary>embed-components: 24.16.0</summary> ## [24.16.0](embed-components-v24.14.0...embed-components-v24.16.0) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/embed-services bumped from 24.14.0 to 24.16.0 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * devDependencies * @looker/sdk-node bumped from 24.14.0 to 24.16.0 </details> <details><summary>embed-services: 24.16.0</summary> ## [24.16.0](embed-services-v24.14.0...embed-services-v24.16.0) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 * @looker/sdk bumped from 24.14.0 to 24.16.0 * devDependencies * @looker/sdk-node bumped from 24.14.0 to 24.16.0 </details> <details><summary>extension-sdk: 24.16.0</summary> ## [24.16.0](extension-sdk-v24.14.0...extension-sdk-v24.16.0) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>extension-sdk-react: 24.16.0</summary> ## [24.16.0](extension-sdk-react-v24.14.0...extension-sdk-react-v24.16.0) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/extension-sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>sdk: 24.16.0</summary> ## [24.16.0](sdk-v24.14.0...sdk-v24.16.0) (2024-09-11) ### Features * generate SDKs for Looker 24.16 ([#1499](#1499)) ([109839d](109839d)) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> <details><summary>sdk-node: 24.16.0</summary> ## [24.16.0](sdk-node-v24.14.0...sdk-node-v24.16.0) (2024-09-11) ### Bug Fixes * Remove the requests package from the TypeScript SDK ([#1491](#1491)) ([670377c](670377c)), closes [#1439](#1439) ### Dependencies * The following workspace dependencies were updated * dependencies * @looker/sdk bumped from 24.14.0 to 24.16.0 * @looker/sdk-rtl bumped from 21.6.1 to 21.6.2 </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a project using @looker/sdk as a dependency and when I run:
yarn run auditI get
Severity: MODERATE Modules: @looker/sdk-rtl>request, @looker/filter-components>@looker/sdk-rtl>request, @looker/filter-components>@looker/sdk>@looker/sdk-rtl>request, @looker/filter-components>@looker/filter-expressions>@looker/sdk>@looker/sdk-rtl>request URL: https://github.com/advisories/GHSA-p8p7-x288-28g6four times. I see that @looker/sdk and @looker/sdk-rtl are using
request "^2.88.0"which has this security issue. Are there plans to upgrade?
The text was updated successfully, but these errors were encountered: