Replace deprecated 'request' package to address SSRF vulnerability #83
Description
Summary
The request package used in matrix-bot-sdk is deprecated and has a known SSRF (Server-Side Request Forgery) vulnerability (CVE-2023-28155).
Details
- Package:
request(<=2.88.2) - Advisory: GHSA-p8p7-x288-28g6
- Severity: Moderate
- Status: Deprecated, no fix available ("patched versions" shows
<0.0.0)
Current Usage in Bot SDK
"dependencies": {
"request": "^2.88.2",
"request-promise": "^4.2.6"
}Proposed Solution
Replace request and request-promise with modern alternatives:
Option A: axios (most compatible)
npm install axios
npm uninstall request request-promiseOption B: native fetch (Node 18+)
Built-in, no additional dependencies needed.
Option C: undici (Node.js team recommended)
Fast, spec-compliant HTTP client.
Impact
- Security: Eliminates SSRF vulnerability
- Maintenance: Removes deprecated dependency
- Breaking: Minimal - internal HTTP client change only
References
- request deprecation notice: Request’s Past, Present and Future request/request#3142
- CVE-2023-28155: https://nvd.nist.gov/vuln/detail/CVE-2023-28155
Would the maintainers accept a PR implementing this change? I can prepare one if there's interest.