SNOW-874337: move from current version of urllib (v2) #590
Description
Raising this issue to give a more transparent way to track the internal effort of addressing the current challenges around urllib v2.
Background:
There already a couple of issues of various severity, stemming from urllib v2 (2.40.0) and its direct/indirect dependencies, which urllib version is currently in use by the Snowflake Node.JS driver, some examples:
- Buffer deprecation warning - Bump urllib to at least 3.0.0 #363
- Snyk: snowflake-connector-nodejs word-wrap 1.2.3 | Snyk ID - SNYK-JS-WORDWRAP-3149973 #454
- Snyk: vm2 Sandbox Bypass Vulnerability | SNYK-JS-VM2-5537100 #512
- CVE-2023-37466 - VM2 - Sandbox Escape Vulnerability #571
(et al)
We cannot just take the urllib dependency and bump to the most recent (v3) versions, because urllib v3.0.0 introduced a breaking change as is't been rebased to undici and that version is incompatible with snowflake-sdk implementation today.
As urllib provides a core functionality to snowflake-sdk (sending HTTP requests to the Snowflake engine) , appropriate care needs to be taken in refactoring the solution.
This Issue is here to track the progress. Current aim is to implement and release the changes by end of Q3 2023