Potential exposure to CVE-2021-3918 - Score 9.8

[felix-hcl]

Steps to reproduce

1. Install loopback-connector-rest
2. run npm ls json-schema

Current Behavior

The vulnerable version of json-schema is a sub-dependency of request@2.88.2 which is the latest version of the deprecated http client.

└─┬ loopback-connector-rest@4.0.1
  └─┬ request@2.88.2
    └─┬ http-signature@1.2.0
      └─┬ jsprim@1.4.1
        └── json-schema@0.2.3 

Expected Behavior

Usage of non-deprectated package which are not exposed to security vulnerabilities.

Additional information

https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Fixes exist for json-schema, jsprim and http-signature but request does not accept http-signature@1.3.6 which would resolve this issue:
https://github.com/joyent/node-http-signature/blob/master/CHANGES.md#136

Related Issues

#147

[dhmlau]

@felix-hcl, thanks for reporting this. Since request has been deprecated, it would be good to replace request module to another similar module (as you've pointed out #147).
IIRC, @marioestradarosa was looking into replacing request with axios but have some concerns about it. But I couldn't seem to find where the discussion happened. @marioestradarosa, any insights?

[felix-hcl]

Hello @dhmlau,
Thankfully in the meantime there was a fix in a sub-package so request is currently no longer vulnerable. Still the underlying issue remains by relying on a 2 year deprecated package. Is this loopback connector still maintained an recommended to be used?

[samarpanB]

Replaced request with a well-maintained fork - #179