Security Vulnerability: Outdated Dependencies in moyasar Package

[BandarHL]

Security Vulnerability: Outdated Dependencies in moyasar Package

Description

The moyasar package is currently using the outdated request-promise library, which in turn depends on a specific version of tough-cookie. This dependency chain introduces a moderate severity security vulnerability to projects that include moyasar.

Vulnerable Dependencies

1. request-promise

   • Status: Deprecated
   • Contains outdated and insecure dependencies.

2. tough-cookie

   • Severity: Moderate
   • Directly contributes to security vulnerabilities in projects using moyasar.

Suggested Action

To address this issue, the following actions are recommended:

1. Replace request-promise with a more modern and actively maintained library, such as:

   • axios
   • got

2. Update or remove the dependency on tough-cookie as appropriate.

Impact

The continued use of these outdated libraries exposes projects to potential security risks and may cause compatibility issues with modern Node.js versions.

References

• NPM Advisory for request-promise.
• NPM Advisory for tough-cookie.

Please address this issue in an upcoming release to ensure the security and stability of the moyasar package. Let me know if I can assist further or provide additional testing.

Thank you!