Skip to main content

ADR 004: Steam Trade Library Security (Accepted Risk)

Status

Accepted - 2026-02-16

Context

Dependency Analysis

Current Steam trade dependencies:

  • steam-tradeoffer-manager v2.12.2 (actively maintained by DoctorMcKay)
  • steamcommunity v3.49.0 (actively maintained by DoctorMcKay)
  • steam-user v5.0.0 (actively maintained by DoctorMcKay)

Identified Vulnerabilities

Transitive dependencies via deprecated request@2.88.2:

  • form-data - CRITICAL (RCE vulnerability)
  • nth-check - HIGH (ReDoS vulnerability)
  • lodash.pick - HIGH (Prototype pollution)

All three vulnerabilities originate from the deprecated request package (unmaintained since 2020).

Investigation Results

Evaluated migration options:

  1. Current state verified:

    • All Steam libraries (steam-tradeoffer-manager, steamcommunity, steam-user) are ACTIVELY MAINTAINED by original author (DoctorMcKay)
    • Latest updates: August 2025 (steam-tradeoffer-manager v2.12.2)
    • GitHub releases: November 2024 (v2.11.7)

  2. Migration to fork:

    • No maintained forks exist (e.g., @doctormckay/steam-tradeoffer-manager does NOT exist in npm)
    • All Steam libraries depend on request@2.88.2 (ecosystem-wide issue)

  3. Rewrite trade system:

    • Requires complete reimplementation of Steam trade protocol
    • Estimated effort: 3-4 weeks
    • Risk: High (Steam API complexity, undocumented behaviors)

Decision

Accept security vulnerabilities as calculated risk.

Rationale:

  • Libraries are actively maintained (last update 6 months ago)
  • Vulnerabilities are transitive (not in direct dependencies)
  • No viable migration path exists (ecosystem-wide request dependency)
  • Attack surface is mitigated by architectural controls

Consequences

Positive

  • ✅ Zero migration effort (already on maintained versions)
  • ✅ Libraries receive compatibility updates for Steam API changes
  • ✅ Positioned for future security fixes when maintainer rewrites libraries

Negative

  • ⚠️ CRITICAL/HIGH vulnerabilities remain in dependency tree
  • ⚠️ pnpm audit will continue reporting vulnerabilities
  • ⚠️ Requires ongoing monitoring for new CVEs

Mitigation Controls

Architectural:

  • Steam bot runs in isolated Docker container
  • No direct user input to trade manager (controlled server-side)
  • Trade offers validated before creation
  • Rate limiting on trade operations

Operational:

  • Weekly pnpm audit review
  • Monitoring for new CVEs in request ecosystem
  • Alert on CRITICAL exploits (active exploitation)
  • Immediate re-evaluation if public exploit published

Future Path:

  • Monitor steam-tradeoffer-manager releases for request removal
  • Re-evaluate when DoctorMcKay migrates to modern HTTP client
  • Timeline: Unknown (community effort)

Monitoring Plan

Weekly Review

cd backend
pnpm audit | grep -E "CRITICAL|HIGH"

Alert Triggers

  • New CRITICAL vulnerability in request or transitive deps
  • Public exploit code published (CVE with PoC)
  • Steam bot unexpected errors/crashes
  • Trade offers failing to create

Re-evaluation Criteria

  • Active exploitation detected in wild
  • Public PoC for RCE vulnerability
  • Steam API breaking changes requiring library update
  • DoctorMcKay releases version without request dependency

Alternatives Considered

OptionEffortRiskDecision
Accept current riskNoneMediumACCEPTED
Migrate to forkLowLow❌ No fork exists
Rewrite trade system3-4 weeksHigh❌ Not justified
Remove Steam tradeN/AN/A❌ Core feature

References