Update needed to fix severe vulnerabilities in request dependency

[ogulcantumdogan]

#When I npm audit my project, I can see that this library has an old version of request as a dependency and it contains many high importance vulnerabilities. Can any of iyzico devs please update the dependencies and release a new version soon? This is fairly unaccceptable for a payment processing system that we have to rely our business on.

[ShopskaSalad]

Hey @ogulcantumdogan thank you for your statement.
I will notify my colleagues about your notice, yet I would like to inform you that stability is our prior concern.
Overall, could you please share us that which product have you tried that relevantly dependent to your system?
So I can make things faster for you.
Happy coding!

[ogulcantumdogan]

@ShopskaSalad I think I'm having trouble understanding the "which product" question. I'm naturally using the iyzipay-node library on my node + express REST API to integrate payments with my Vue.js web app. Specifically, I am using theiyzipay.checkoutFormInitialize.create and iyzipay.checkoutForm.retrieve methods. I don't think which methods or modules I am using has an effect on the issue itself, because "request" seems like a core dependency on the iyzipay-node package.

I suggest runing an npm audit on the codebase and you'll clearly see the high importance vulnerabilites popping up.

Stability should of course be one of the primary concerns, but I'd rather have 0,5% of incoming payments fail than have my whole backend DDOS'd or worse, hacked. This is therefore not really acceptable in a production grade and official repo.

Updating the faulty dependencies appears to make Travis builds fail on node v6 and lower. But this is a compromise iyzico team should take, in my opinion. Releasing a major version is needed to support higher node versions securely.

If you'd like to have a starting point, please check the Open PR #64 .

Thanks!

[ShopskaSalad]

Hey @ogulcantumdogan,

Thank you for your response.
I truly need to inform you that we do share your concerns, always.
So above all, let me clarify one very simple thing.

We are a PF and we don't build-up our security mechanism behind unstable walls, in your case 3rd party packages.
Can't anyone intent to attack you? Yes they can.
Yet, what makes iyzico is not only business units but our datasets.

Further, I really would love to help you to examine your game plan and business model, so please reach me out from inbox to discuss your convenient time if needed. ✌️
And finally actions always speak louder than words, here you may find BF 2020 datas https://www.iyzico.com/blog/2020-efsane-cuma-online-alisveris-verileri/. 📊

There, I would like to give you 2(two) more notices you may not find in the report but in the internet.
Even in BF 2020, over half of the Acquirers was shut down for several times in Turkish market.
Even in BF 2020, iyzico was %100 uptime and we did it remotely in the Turkish market. 🚀

To sum up, I am closing this issue and I will inform you via #64 if the DEV teams would let me do.
We one more time thank you for your honest and kind words and please let us know from here or [email protected] if we can help you further.
Happy merry coding! 🎄