Update dependencies

**Describe the issue**

Follow-up from medic/cht-conf#621

`npm audit` reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:
```
# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install dom-compare@0.1.1, which is a breaking change
node_modules/xmldom
  dom-compare  >=0.2.0
  Depends on vulnerable versions of xmldom
  node_modules/dom-compare

6 vulnerabilities (5 moderate, 1 critical)
```

**Describe the improvement you'd like**

To summarize the above logs, we need to:
- [ ] replace `request` and `request-promise-native` with a more modern alternative because they're both deprecated. Most [alternatives proposed](https://github.com/request/request/issues/3143) are either ESM-only, unstable, or not production ready
- [ ] replace `dom-compare`. It's not longer maintained and uses a vulnerable version of `xmldom`. We could fork it and use the [more recent version of xmldom](https://www.npmjs.com/package/@xmldom/xmldom), inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.

Dependencies that cannot be updated until we [migrate to ESM](https://github.com/medic/cht-conf/issues/627):
- [ ] `chai`
- [ ] `chai-as-promised`
- [ ] `chai-exclude`
- [ ] `open`

Dependencies that need a higher version of Node.js:
- [ ] `semantic-release`

PouchDB-related dependencies should probably be updated along with [cht-core](https://github.com/medic/cht-core/issues/9208)'s.

Additionally, `xpath` has a new minor version available but no changelog is provided.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update dependencies #629

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Update dependencies #629

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions