Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm: Change request to other packages #2229

Closed
massongit opened this issue Oct 5, 2021 · 7 comments · Fixed by #2287
Closed

npm: Change request to other packages #2229

massongit opened this issue Oct 5, 2021 · 7 comments · Fixed by #2287

Comments

@massongit
Copy link

The npm package request is under maintenance mode: request/request#3142
Therefore, you need to change request to other packages.

Alternative libraries to request: request/request#3143
@github-actions
Copy link

github-actions bot commented Oct 5, 2021

Thanks for reporting this! To set expectations:

  • Issues are reviewed in batches, so it can take some time to get a response.
  • Ask questions in a community forum. You will get an answer quicker that way!
  • If you experience something similar, open a new issue. We like duplicates.

Finally, please be patient with the core team. They are trying their best with limited resources.

@lydell
Copy link
Contributor

lydell commented Oct 5, 2021

esbuild (a popular build tool for JavaScript and TypeScript written in Go) recently switched to an approach that avoids dependencies and postinstall scripts altogether. The creator of esbuild wrote down a very nice explanation of the technique and its pros and cons here:

evanw/esbuild#1621

swc (a similar tool written in Rust) already used that technique, too.

This might be viable for Elm too. Leaving this here in case it helps future decisions!

@lue-bird lue-bird mentioned this issue Aug 9, 2022
Open
@sporto
Copy link

sporto commented Nov 24, 2022

Request 2.88.2 depends on form-data 2.3.3, which depends on json-schema 0.2.3

json-schema 0.2.3 has a critical vulnerability:
GHSA-896r-f27r-55mw

Which is a problem for using Elm. If you org needs to comply with security audits (like us).

So it would be really good to change this

@lydell lydell mentioned this issue Nov 24, 2022
Merged
@lydell
Copy link
Contributor

lydell commented Nov 24, 2022

FYI: The request dependency is being removed in #2287

@adrian-gomez
Copy link

hi @lydell since #2287 is no longer going to be completed (in the near future) would it be possible to:

  • port the part of the code that replaced request
  • replace request with one of its alternatives

I'm willing to help or take the lead on any of those options.

@lydell
Copy link
Contributor

lydell commented Apr 17, 2023

@adrian-gomez I’m not sure I understand what you mean. Could we chat about it on Slack perhaps?

@Zeneixe
Copy link

Zeneixe commented Aug 21, 2023

Do you plan to merge #2287 ?

This issue has been outstanding for 2 years. The following security advisory is well known about the request package:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Free the npm package from third party dependencies lydell/compiler
5 participants
@sporto @adrian-gomez @Zeneixe @lydell @massongit