replace request with axios (#394)

Co-authored-by: ethanstjohn <ethanstjohn@ibm.com>
razee-io · Apr 13, 2023 · 0577d0f · 0577d0f
1 parent d4821a9
commit 0577d0f
Show file tree

Hide file tree

Showing 3 changed files with 553 additions and 444 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -3,7 +3,7 @@ node_js:
   - "16"
 
 script:
-  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit --only=prod; else npm audit || true; fi
+  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config audit-ci.json --only=prod; else npx audit-ci --config audit-ci.json || true; fi
   - npm run lint
   - npm test
   - if [ -n "${TRAVIS_TAG}" ]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi

diff --git a/audit-ci.json b/audit-ci.json
@@ -0,0 +1,16 @@
+{
+    "low": true,
+    "_allowlistInfo": [
+      {
+        "advisory": "GHSA-p8p7-x288-28g6",
+        "details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)",
+        "justification1": "Request package is deprecated and unlikely to receive updates.",
+        "justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.",
+        "expiry": "28 April 2023 00:00"
+      }
+    ],
+    "allowlist": [
+      "GHSA-p8p7-x288-28g6"
+    ],
+    "skip-dev": true
+  }