From 81ebf5d3faa8d6de7f1401805eca66452c7b8dbe Mon Sep 17 00:00:00 2001 From: Brent Heddens Date: Fri, 3 Oct 2025 13:01:38 -0400 Subject: [PATCH 1/3] Replace deprecated request library with axios - Removed request and request-promise-native dependencies - Added axios@^1.12.2 as replacement - Updated eventUpdate method to use axios.put() - Fixes form-data vulnerability by removing transitive dependency on old form-data version This resolves the critical CVE-2025-7783 vulnerability in form-data that was being pulled in by the deprecated request library. --- index.js | 14 +++---- package-lock.json | 95 ++++++++++++++++++++++------------------------- package.json | 3 +- 3 files changed, 52 insertions(+), 60 deletions(-) diff --git a/index.js b/index.js index f685425..2e8935c 100644 --- a/index.js +++ b/index.js @@ -7,7 +7,7 @@ const Sms = require('./lib/sms') const Email = require('./lib/email') const oauth2Routes = require('./lib/oauth2Routes') const get = require('lodash.get') -const request = require('request-promise-native') +const axios = require('axios') const bugsnag = require('@bugsnag/js') process.env.DEBUG = process.env.DEBUG || 'envoy*' @@ -148,14 +148,12 @@ Platform.prototype.getRouteLink = function (path, queryParams = {}) { Platform.prototype.eventUpdate = async function (statusSummary, failureReason = null, eventStatus = 'in_progress') { let eventReportId = this.req.event_report_id || this.req.params.event_report_id let eventReportUrl = `${this.config.baseUrl}/a/hub/v1/event_reports/${eventReportId}` - return request.put(eventReportUrl, { - json: true, - body: { - status: eventStatus, - status_message: statusSummary, - failure_reason: failureReason - } + const response = await axios.put(eventReportUrl, { + status: eventStatus, + status_message: statusSummary, + failure_reason: failureReason }) + return response.data } Platform.prototype.eventComplete = async function (statusMessage) { return this.eventUpdate(statusMessage, null, 'done') diff --git a/package-lock.json b/package-lock.json index d83061b..0a09320 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,22 +1,21 @@ { "name": "envoy-platform-sdk", - "version": "1.1.0", + "version": "1.1.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "envoy-platform-sdk", - "version": "1.1.0", + "version": "1.1.1", "license": "ISC", "dependencies": { "@bugsnag/js": "^5.2.0", + "axios": "^1.12.2", "debug": "^3.1.0", "libphonenumber-js": "^1.10.28", "lodash.get": "^4.4.2", "nodemailer": "^6.6.1", "nodemailer-sendgrid": "^1.0.3", - "request": "^2.88.0", - "request-promise-native": "^1.0.5", "simple-oauth2": "^1.6.0", "standard": "^11.0.1", "twilio": "^4.10.0", @@ -905,11 +904,30 @@ "integrity": "sha512-Uvq6hVe90D0B2WEnUqtdgY1bATGz3mw33nH9Y+dmA+w5DHvUmBgkr5rM/KCHpCsiFNRUfokW/szpPPgMK2hm4A==" }, "node_modules/axios": { - "version": "0.26.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.26.1.tgz", - "integrity": "sha512-fPwcX4EvnSHuInCMItEhAGnaSEXRBjtzh9fOtsE6E1G6p7vl7edEeZe11QHf18+6+9gR5PbKV/sGKNaD8YaMeA==", + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.12.2.tgz", + "integrity": "sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==", + "license": "MIT", "dependencies": { - "follow-redirects": "^1.14.8" + "follow-redirects": "^1.15.6", + "form-data": "^4.0.4", + "proxy-from-env": "^1.1.0" + } + }, + "node_modules/axios/node_modules/form-data": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", + "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "license": "MIT", + "dependencies": { + "asynckit": "^0.4.0", + "combined-stream": "^1.0.8", + "es-set-tostringtag": "^2.1.0", + "hasown": "^2.0.2", + "mime-types": "^2.1.12" + }, + "engines": { + "node": ">= 6" } }, "node_modules/babel-code-frame": { @@ -2283,15 +2301,16 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.2", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz", - "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", "url": "https://github.com/sponsors/RubenVerborgh" } ], + "license": "MIT", "engines": { "node": ">=4.0" }, @@ -4804,6 +4823,12 @@ "node >= 0.8.1" ] }, + "node_modules/proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==", + "license": "MIT" + }, "node_modules/proxyquire": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/proxyquire/-/proxyquire-2.1.0.tgz", @@ -4977,37 +5002,6 @@ "node": ">= 4" } }, - "node_modules/request-promise-core": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/request-promise-core/-/request-promise-core-1.1.3.tgz", - "integrity": "sha512-QIs2+ArIGQVp5ZYbWD5ZLCY29D5CfWizP8eWnm8FoGD1TX61veauETVQbrV60662V0oFBkrDOuaBI8XgtuyYAQ==", - "dependencies": { - "lodash": "^4.17.15" - }, - "engines": { - "node": ">=0.10.0" - }, - "peerDependencies": { - "request": "^2.34" - } - }, - "node_modules/request-promise-native": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/request-promise-native/-/request-promise-native-1.0.8.tgz", - "integrity": "sha512-dapwLGqkHtwL5AEbfenuzjTYg35Jd6KPytsC2/TLkVMz8rm+tNt72MGUWT1RP/aYawMpN6HqbNGBQaRcBtjQMQ==", - "deprecated": "request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142", - "dependencies": { - "request-promise-core": "1.1.3", - "stealthy-require": "^1.1.1", - "tough-cookie": "^2.3.3" - }, - "engines": { - "node": ">=0.12.0" - }, - "peerDependencies": { - "request": "^2.34" - } - }, "node_modules/require-directory": { "version": "2.1.1", "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", @@ -5426,14 +5420,6 @@ "pkg-conf": "^2.0.0" } }, - "node_modules/stealthy-require": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/stealthy-require/-/stealthy-require-1.1.1.tgz", - "integrity": "sha1-NbCYdbT/SfJqd35QmzCQoyJr8ks=", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", @@ -5658,6 +5644,15 @@ "node": ">=14.0" } }, + "node_modules/twilio/node_modules/axios": { + "version": "0.26.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.26.1.tgz", + "integrity": "sha512-fPwcX4EvnSHuInCMItEhAGnaSEXRBjtzh9fOtsE6E1G6p7vl7edEeZe11QHf18+6+9gR5PbKV/sGKNaD8YaMeA==", + "license": "MIT", + "dependencies": { + "follow-redirects": "^1.14.8" + } + }, "node_modules/twilio/node_modules/qs": { "version": "6.11.1", "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.1.tgz", diff --git a/package.json b/package.json index 561beeb..8f5a218 100644 --- a/package.json +++ b/package.json @@ -22,13 +22,12 @@ }, "dependencies": { "@bugsnag/js": "^5.2.0", + "axios": "^1.12.2", "debug": "^3.1.0", "libphonenumber-js": "^1.10.28", "lodash.get": "^4.4.2", "nodemailer": "^6.6.1", "nodemailer-sendgrid": "^1.0.3", - "request": "^2.88.0", - "request-promise-native": "^1.0.5", "simple-oauth2": "^1.6.0", "standard": "^11.0.1", "twilio": "^4.10.0", From 301bc0b534093de6940fbf142214fc0b99c7e7a8 Mon Sep 17 00:00:00 2001 From: Brent Heddens Date: Fri, 3 Oct 2025 13:07:31 -0400 Subject: [PATCH 2/3] Update simple-oauth2 to v5.1.0 - Upgraded from deprecated v1.6.0 to v5.1.0 - Removes transitive dependency on deprecated request library - Further reduces form-data vulnerability exposure Note: OAuth2Routes code needs to be updated to match v5 API --- package-lock.json | 183 ++++++++++++++++++++++++++++++---------------- package.json | 2 +- 2 files changed, 122 insertions(+), 63 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0a09320..eab9847 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "lodash.get": "^4.4.2", "nodemailer": "^6.6.1", "nodemailer-sendgrid": "^1.0.3", - "simple-oauth2": "^1.6.0", + "simple-oauth2": "^5.1.0", "standard": "^11.0.1", "twilio": "^4.10.0", "urijs": "^1.19.11" @@ -414,6 +414,53 @@ "stack-generator": "^2.0.3" } }, + "node_modules/@hapi/boom": { + "version": "10.0.1", + "resolved": "https://registry.npmjs.org/@hapi/boom/-/boom-10.0.1.tgz", + "integrity": "sha512-ERcCZaEjdH3OgSJlyjVk8pHIFeus91CjKP3v+MpgBNp5IvGzP2l/bRiD78nqYcKPaZdbKkK5vDBVPd2ohHBlsA==", + "license": "BSD-3-Clause", + "dependencies": { + "@hapi/hoek": "^11.0.2" + } + }, + "node_modules/@hapi/bourne": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/@hapi/bourne/-/bourne-3.0.0.tgz", + "integrity": "sha512-Waj1cwPXJDucOib4a3bAISsKJVb15MKi9IvmTI/7ssVEm6sywXGjVJDhl6/umt1pK1ZS7PacXU3A1PmFKHEZ2w==", + "license": "BSD-3-Clause" + }, + "node_modules/@hapi/hoek": { + "version": "11.0.7", + "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-11.0.7.tgz", + "integrity": "sha512-HV5undWkKzcB4RZUusqOpcgxOaq6VOAH7zhhIr2g3G8NF/MlFO75SjOr2NfuSx0Mh40+1FqCkagKLJRykUWoFQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@hapi/topo": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/@hapi/topo/-/topo-5.1.0.tgz", + "integrity": "sha512-foQZKJig7Ob0BMAYBfcJk8d77QtOe7Wo4ox7ff1lQYoNNAb6jwcY1ncdoy2e9wQZzvNy7ODZCYJkK8kzmcAnAg==", + "license": "BSD-3-Clause", + "dependencies": { + "@hapi/hoek": "^9.0.0" + } + }, + "node_modules/@hapi/topo/node_modules/@hapi/hoek": { + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-9.3.0.tgz", + "integrity": "sha512-/c6rf4UJlmHlC9b5BaNvzAcFv7HZ2QHaV0D4/HNlBdvFnvQq8RI4kYdhyPCl7Xj+oWvTWQ8ujhqS53LIgAe6KQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@hapi/wreck": { + "version": "18.1.0", + "resolved": "https://registry.npmjs.org/@hapi/wreck/-/wreck-18.1.0.tgz", + "integrity": "sha512-0z6ZRCmFEfV/MQqkQomJ7sl/hyxvcZM7LtuVqN3vdAO4vM9eBbowl0kaqQj9EJJQab+3Uuh1GxbGIBFy4NfJ4w==", + "license": "BSD-3-Clause", + "dependencies": { + "@hapi/boom": "^10.0.1", + "@hapi/bourne": "^3.0.0", + "@hapi/hoek": "^11.0.2" + } + }, "node_modules/@istanbuljs/load-nyc-config": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz", @@ -613,6 +660,33 @@ "node": ">=6.0.0" } }, + "node_modules/@sideway/address": { + "version": "4.1.5", + "resolved": "https://registry.npmjs.org/@sideway/address/-/address-4.1.5.tgz", + "integrity": "sha512-IqO/DUQHUkPeixNQ8n0JA6102hT9CmaljNTPmQ1u8MEhBo/R4Q8eKLN/vGZxuebwOroDB4cbpjheD4+/sKFK4Q==", + "license": "BSD-3-Clause", + "dependencies": { + "@hapi/hoek": "^9.0.0" + } + }, + "node_modules/@sideway/address/node_modules/@hapi/hoek": { + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-9.3.0.tgz", + "integrity": "sha512-/c6rf4UJlmHlC9b5BaNvzAcFv7HZ2QHaV0D4/HNlBdvFnvQq8RI4kYdhyPCl7Xj+oWvTWQ8ujhqS53LIgAe6KQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@sideway/formula": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/@sideway/formula/-/formula-3.0.1.tgz", + "integrity": "sha512-/poHZJJVjx3L+zVD6g9KgHfYnb443oi7wLu/XKojDviHy6HOEOA6z1Trk5aR1dGcmPenJEgb2sK2I80LeS3MIg==", + "license": "BSD-3-Clause" + }, + "node_modules/@sideway/pinpoint": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@sideway/pinpoint/-/pinpoint-2.0.0.tgz", + "integrity": "sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ==", + "license": "BSD-3-Clause" + }, "node_modules/@sinonjs/commons": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.4.0.tgz", @@ -1004,11 +1078,6 @@ "node": ">=8" } }, - "node_modules/bluebird": { - "version": "3.7.2", - "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz", - "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" - }, "node_modules/brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", @@ -1446,11 +1515,6 @@ "node": ">=0.10" } }, - "node_modules/date-fns": { - "version": "1.30.1", - "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-1.30.1.tgz", - "integrity": "sha512-hBSVCvSmWC+QypYObzwGOd9wqdDpOt+0wl0KbU+R+uuZBS1jN8VsD1ss3irQDknRj5NvxiTF6oj/nDRnN/UQNw==" - }, "node_modules/dayjs": { "version": "1.11.7", "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.7.tgz", @@ -2742,15 +2806,6 @@ "he": "bin/he" } }, - "node_modules/hoek": { - "version": "4.2.1", - "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz", - "integrity": "sha512-QLg82fGkfnJ/4iy1xZ81/9SIJiq1NGFUMGs6ParyjBZr6jW2Ufj/snDqTHixNlHdPNwN2RLVD0Pi3igeK9+JfA==", - "deprecated": "This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).", - "engines": { - "node": ">=4.0.0" - } - }, "node_modules/hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", @@ -3046,17 +3101,6 @@ "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=" }, - "node_modules/isemail": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/isemail/-/isemail-3.2.0.tgz", - "integrity": "sha512-zKqkK+O+dGqevc93KNsbZ/TqTUFd46MwWjYOoMrjIMZ51eU7DtQG3Wmd9SQQT7i7RVnuTPEiYEWHU3MSbxC1Tg==", - "dependencies": { - "punycode": "2.x.x" - }, - "engines": { - "node": ">=4.0.0" - } - }, "node_modules/iserror": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/iserror/-/iserror-0.0.2.tgz", @@ -3289,19 +3333,24 @@ } }, "node_modules/joi": { - "version": "12.0.0", - "resolved": "https://registry.npmjs.org/joi/-/joi-12.0.0.tgz", - "integrity": "sha512-z0FNlV4NGgjQN1fdtHYXf5kmgludM65fG/JlXzU6+rwkt9U5UWuXVYnXa2FpK0u6+qBuCmrm5byPNuiiddAHvQ==", - "deprecated": "This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).", + "version": "17.13.3", + "resolved": "https://registry.npmjs.org/joi/-/joi-17.13.3.tgz", + "integrity": "sha512-otDA4ldcIx+ZXsKHWmp0YizCweVRZG96J10b0FevjfuncLO1oX59THoAmHkNubYJ+9gWsYsp5k8v4ib6oDv1fA==", + "license": "BSD-3-Clause", "dependencies": { - "hoek": "4.x.x", - "isemail": "3.x.x", - "topo": "2.x.x" - }, - "engines": { - "node": ">=4.0.0" + "@hapi/hoek": "^9.3.0", + "@hapi/topo": "^5.1.0", + "@sideway/address": "^4.1.5", + "@sideway/formula": "^3.0.1", + "@sideway/pinpoint": "^2.0.0" } }, + "node_modules/joi/node_modules/@hapi/hoek": { + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/@hapi/hoek/-/hoek-9.3.0.tgz", + "integrity": "sha512-/c6rf4UJlmHlC9b5BaNvzAcFv7HZ2QHaV0D4/HNlBdvFnvQq8RI4kYdhyPCl7Xj+oWvTWQ8ujhqS53LIgAe6KQ==", + "license": "BSD-3-Clause" + }, "node_modules/js-tokens": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", @@ -5211,18 +5260,40 @@ "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0=" }, "node_modules/simple-oauth2": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/simple-oauth2/-/simple-oauth2-1.6.0.tgz", - "integrity": "sha512-nSfa5lIJbf89k+VpWrZTzChH4B0/a/DRD3+NlEqyto8qgQ/FWX8eWzZs4KnkvnTMAB2Lph/V46ikoqk7UrjjEg==", - "deprecated": "simple-oauth2 v1 is no longer supported. Please upgrade to v3 for further support", + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/simple-oauth2/-/simple-oauth2-5.1.0.tgz", + "integrity": "sha512-gWDa38Ccm4MwlG5U7AlcJxPv3lvr80dU7ARJWrGdgvOKyzSj1gr3GBPN1rABTedAYvC/LsGYoFuFxwDBPtGEbw==", + "license": "Apache-2.0", "dependencies": { - "bluebird": "^3.5.0", - "date-fns": "^1.3.0", - "debug": "^3.1.0", - "joi": "^12.0.0", - "request": "^2.81.0" + "@hapi/hoek": "^11.0.4", + "@hapi/wreck": "^18.0.0", + "debug": "^4.3.4", + "joi": "^17.6.4" + } + }, + "node_modules/simple-oauth2/node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } } }, + "node_modules/simple-oauth2/node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, "node_modules/sinon": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/sinon/-/sinon-5.1.1.tgz", @@ -5581,18 +5652,6 @@ "node": ">=8.0" } }, - "node_modules/topo": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/topo/-/topo-2.0.2.tgz", - "integrity": "sha1-zVYVdSU5BXwNwEkaYhw7xvvh0YI=", - "deprecated": "This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).", - "dependencies": { - "hoek": "4.x.x" - }, - "engines": { - "node": ">=4.0.0" - } - }, "node_modules/tough-cookie": { "version": "2.4.3", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz", diff --git a/package.json b/package.json index 8f5a218..cedbf30 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "lodash.get": "^4.4.2", "nodemailer": "^6.6.1", "nodemailer-sendgrid": "^1.0.3", - "simple-oauth2": "^1.6.0", + "simple-oauth2": "^5.1.0", "standard": "^11.0.1", "twilio": "^4.10.0", "urijs": "^1.19.11" From 484227a13e414238f9f4bcd971d9c2c9c6651bb3 Mon Sep 17 00:00:00 2001 From: Brent Heddens Date: Fri, 3 Oct 2025 13:09:29 -0400 Subject: [PATCH 3/3] Update @bugsnag/js to v8.6.0 - Upgraded from deprecated v5.2.0 to v8.6.0 - Removes @bugsnag/node dependency which used deprecated request library - Further reduces form-data vulnerability exposure Note: Some tests may need updates for new Bugsnag API --- package-lock.json | 104 +++++++++++++++++++++++++++++++--------------- package.json | 2 +- 2 files changed, 72 insertions(+), 34 deletions(-) diff --git a/package-lock.json b/package-lock.json index eab9847..9d3e7f0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.1.1", "license": "ISC", "dependencies": { - "@bugsnag/js": "^5.2.0", + "@bugsnag/js": "^8.6.0", "axios": "^1.12.2", "debug": "^3.1.0", "libphonenumber-js": "^1.10.28", @@ -388,32 +388,63 @@ } }, "node_modules/@bugsnag/browser": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/@bugsnag/browser/-/browser-5.2.0.tgz", - "integrity": "sha512-QImSbwVjcEbaUjCxNRVOELUahdHmRfkZ9o0UJpMDsfYNqpMpYzI7DdyH0BUnXv/yI4ymGpAQbFSEqVMTqSa9WA==" + "version": "8.6.0", + "resolved": "https://registry.npmjs.org/@bugsnag/browser/-/browser-8.6.0.tgz", + "integrity": "sha512-7UGqTGnQqXUQ09gOlWbDTFUSbeLIIrP+hML3kTOq8Zdc8nP/iuOEflXGLV2TxWBWW8xIUPc928caFPr9EcaDuw==", + "license": "MIT", + "dependencies": { + "@bugsnag/core": "^8.6.0" + } + }, + "node_modules/@bugsnag/core": { + "version": "8.6.0", + "resolved": "https://registry.npmjs.org/@bugsnag/core/-/core-8.6.0.tgz", + "integrity": "sha512-94Jo443JegaiKV8z8NXMFdyTGubiUnwppWhq3kG2ldlYKtEvrmIaO5+JA58B6oveySvoRu3cCe2W9ysY7G7mDw==", + "license": "MIT", + "dependencies": { + "@bugsnag/cuid": "^3.0.0", + "@bugsnag/safe-json-stringify": "^6.0.0", + "error-stack-parser": "^2.0.3", + "iserror": "^0.0.2", + "stack-generator": "^2.0.3" + } + }, + "node_modules/@bugsnag/cuid": { + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/@bugsnag/cuid/-/cuid-3.2.1.tgz", + "integrity": "sha512-zpvN8xQ5rdRWakMd/BcVkdn2F8HKlDSbM3l7duueK590WmI1T0ObTLc1V/1e55r14WNjPd5AJTYX4yPEAFVi+Q==", + "license": "MIT" }, "node_modules/@bugsnag/js": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/@bugsnag/js/-/js-5.2.0.tgz", - "integrity": "sha512-tL+Jr4DnQbCH+nLR6Kb9m5QbstIbmFbL9yKId2W3z0MvPxTg9vhRSlu35+99+04CRHrQu0VdY2n9RzDbD5kpgg==", + "version": "8.6.0", + "resolved": "https://registry.npmjs.org/@bugsnag/js/-/js-8.6.0.tgz", + "integrity": "sha512-U+ofNTTMA2Z6tCrOhK/QhHBhLoQHoalk8Y82WWc7FAcVSoJZYadND/QuXUriNRZpC4YgJ/s/AxPeQ2y+WvMxzw==", + "license": "MIT", "dependencies": { - "@bugsnag/browser": "^5.2.0", - "@bugsnag/node": "^5.2.0" + "@bugsnag/browser": "^8.6.0", + "@bugsnag/node": "^8.6.0" } }, "node_modules/@bugsnag/node": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/@bugsnag/node/-/node-5.2.0.tgz", - "integrity": "sha512-2KqUcZ/uTkNP9G4aGW+sKhdce3Z68pg9I+LnjUDvpMEQ82O/zxy+NLkGTSz9hveNBdznJ1YoqjfoBdRnHkyRSw==", + "version": "8.6.0", + "resolved": "https://registry.npmjs.org/@bugsnag/node/-/node-8.6.0.tgz", + "integrity": "sha512-O91sELo6zBjflVeP3roRC9l68iYaafVs5lz2N0FDkrT08mP2UljtNWpjjoR/0h1so5Ny1OxHgnZ1IrsXhz5SMQ==", + "license": "MIT", "dependencies": { + "@bugsnag/core": "^8.6.0", "byline": "^5.0.0", - "error-stack-parser": "^2.0.2", + "error-stack-parser": "^2.0.3", "iserror": "^0.0.2", "pump": "^3.0.0", - "request": "^2.87.0", "stack-generator": "^2.0.3" } }, + "node_modules/@bugsnag/safe-json-stringify": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/@bugsnag/safe-json-stringify/-/safe-json-stringify-6.1.0.tgz", + "integrity": "sha512-ImA35rnM7bGr+J30R979FQ95BhRB4UO1KfJA0J2sVqc8nwnrS9hhE5mkTmQWMs8Vh1Da+hkLKs5jJB4JjNZp4A==", + "license": "MIT" + }, "node_modules/@hapi/boom": { "version": "10.0.1", "resolved": "https://registry.npmjs.org/@hapi/boom/-/boom-10.0.1.tgz", @@ -1159,7 +1190,8 @@ "node_modules/byline": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz", - "integrity": "sha1-dBxSFkaOrcRXsDQQEYrXfejB3bE=", + "integrity": "sha512-s6webAy+R4SR8XVuJWt2V2rGvhnrhxN+9S15GNuTK3wKPOXFF6RNc+8ug2XhH+2s4f+uudG4kUVYmYOQWL2g0Q==", + "license": "MIT", "engines": { "node": ">=0.10.0" } @@ -1709,9 +1741,10 @@ "dev": true }, "node_modules/end-of-stream": { - "version": "1.4.4", - "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz", - "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==", + "version": "1.4.5", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz", + "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==", + "license": "MIT", "dependencies": { "once": "^1.4.0" } @@ -1725,11 +1758,12 @@ } }, "node_modules/error-stack-parser": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.0.4.tgz", - "integrity": "sha512-fZ0KkoxSjLFmhW5lHbUT3tLwy3nX1qEzMYo8koY1vrsAco53CMT1djnBSeC/wUjTEZRhZl9iRw7PaMaxfJ4wzQ==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.1.4.tgz", + "integrity": "sha512-Sk5V6wVazPhq5MhpO+AUxJn5x7XSXGl1R93Vn7i+zS15KDVxQijejNCrz8340/2bgLBjR9GtEG8ZVKONDjcqGQ==", + "license": "MIT", "dependencies": { - "stackframe": "^1.1.0" + "stackframe": "^1.3.4" } }, "node_modules/es-abstract": { @@ -3104,7 +3138,8 @@ "node_modules/iserror": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/iserror/-/iserror-0.0.2.tgz", - "integrity": "sha1-vVNFH+L2aLnyQCwZZnh6qix8C/U=" + "integrity": "sha512-oKGGrFVaWwETimP3SiWwjDeY27ovZoyZPHtxblC4hCq9fXxed/jasx+ATWFFjCVSRZng8VTMsN1nDnGo6zMBSw==", + "license": "MIT" }, "node_modules/isexe": { "version": "2.0.0", @@ -4909,9 +4944,10 @@ "integrity": "sha512-SYKKmVel98NCOYXpkwUqZqh0ahZeeKfmisiLIcEZdsb+WbLv02g/dI5BUmZnIyOe7RzZtLax81nnb2HbvC2tzA==" }, "node_modules/pump": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz", - "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz", + "integrity": "sha512-todwxLMY7/heScKmntwQG8CXVkWUOdYxIvY2s0VWAAMh/nd8SoYiRaKjlr7+iCs984f2P8zvrfWcDDYVb73NfA==", + "license": "MIT", "dependencies": { "end-of-stream": "^1.1.0", "once": "^1.3.1" @@ -5446,17 +5482,19 @@ } }, "node_modules/stack-generator": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/stack-generator/-/stack-generator-2.0.4.tgz", - "integrity": "sha512-ha1gosTNcgxwzo9uKTQ8zZ49aUp5FIUW58YHFxCqaAHtE0XqBg0chGFYA1MfmW//x1KWq3F4G7Ug7bJh4RiRtg==", + "version": "2.0.10", + "resolved": "https://registry.npmjs.org/stack-generator/-/stack-generator-2.0.10.tgz", + "integrity": "sha512-mwnua/hkqM6pF4k8SnmZ2zfETsRUpWXREfA/goT8SLCV4iOFa4bzOX2nDipWAZFPTjLvQB82f5yaodMVhK0yJQ==", + "license": "MIT", "dependencies": { - "stackframe": "^1.1.0" + "stackframe": "^1.3.4" } }, "node_modules/stackframe": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.1.0.tgz", - "integrity": "sha512-Vx6W1Yvy+AM1R/ckVwcHQHV147pTPBKWCRLrXMuPrFVfvBUc3os7PR1QLIWCMhPpRg5eX9ojzbQIMLGBwyLjqg==" + "version": "1.3.4", + "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.3.4.tgz", + "integrity": "sha512-oeVtt7eWQS+Na6F//S4kJ2K2VbRlS9D43mAlMyVpVWovy9o+jfgH8O9agzANzaiLjclA0oYzUXEM4PurhSUChw==", + "license": "MIT" }, "node_modules/standard": { "version": "11.0.1", diff --git a/package.json b/package.json index cedbf30..497d817 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "invoke": "./bin/invoke" }, "dependencies": { - "@bugsnag/js": "^5.2.0", + "@bugsnag/js": "^8.6.0", "axios": "^1.12.2", "debug": "^3.1.0", "libphonenumber-js": "^1.10.28",