SHA-1 Weak Authentication Algorithm vulnerability in dependency "request"

[aqan213]

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package.
The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure." 

Here is the hierarchy of the "request" module tracking back to appmetrics

"request" --> kubernetes-client" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics" --> bluemix-autoscaling-agent

According to request/request#2640 it looks like all versions of request are vulnerable and the request package is depreciated.
Can you please take a look? thanks,

[aqan213]

Hi, Can anyone help to check this issue? thanks,

[aqan213]

The customer is supposed to fix it in Feb. Is it possible to address this issue asap or can you please give us a date when you plan to do it? thanks,

[pinkyjpainadath]

Hi, We are also facing the same issue. is there a fix expected for this any time soon

[donacarr]

Hi ... any chance to replace "request" with something else not vulnerable?

[godber]

There is already an issue here for request being deprecated.

#614

It would probably make sense to close this issue in preference to that issue.