compiler icon indicating copy to clipboard operation
compiler copied to clipboard

Published 20 hours ago verified publisher icon elm

npm: Change request to other packages

Open massongit opened this issue 2 years ago • 2 comments

The npm package request is under maintenance mode: https://github.com/request/request/issues/3142 Therefore, you need to change request to other packages.

Alternative libraries to request: https://github.com/request/request/issues/3143

massongit avatar Oct 05 '21 21:10 massongit

Thanks for reporting this! To set expectations:

  • Issues are reviewed in batches, so it can take some time to get a response.
  • Ask questions in a community forum. You will get an answer quicker that way!
  • If you experience something similar, open a new issue. We like duplicates.

Finally, please be patient with the core team. They are trying their best with limited resources.

github-actions[bot] avatar Oct 05 '21 21:10 github-actions[bot]

esbuild (a popular build tool for JavaScript and TypeScript written in Go) recently switched to an approach that avoids dependencies and postinstall scripts altogether. The creator of esbuild wrote down a very nice explanation of the technique and its pros and cons here:

https://github.com/evanw/esbuild/pull/1621

swc (a similar tool written in Rust) already used that technique, too.

This might be viable for Elm too. Leaving this here in case it helps future decisions!

lydell avatar Oct 05 '21 21:10 lydell

Request 2.88.2 depends on form-data 2.3.3, which depends on json-schema 0.2.3

json-schema 0.2.3 has a critical vulnerability: https://github.com/advisories/GHSA-896r-f27r-55mw

Which is a problem for using Elm. If you org needs to comply with security audits (like us).

So it would be really good to change this

sporto avatar Nov 24 '22 04:11 sporto

FYI: The request dependency is being removed in https://github.com/elm/compiler/pull/2287

lydell avatar Nov 24 '22 08:11 lydell

hi @lydell since https://github.com/elm/compiler/pull/2287 is no longer going to be completed (in the near future) would it be possible to:

  • port the part of the code that replaced request
  • replace request with one of its alternatives

I'm willing to help or take the lead on any of those options.

adrian-gomez avatar Apr 17 '23 12:04 adrian-gomez

@adrian-gomez I’m not sure I understand what you mean. Could we chat about it on Slack perhaps?

lydell avatar Apr 17 '23 12:04 lydell

Do you plan to merge https://github.com/elm/compiler/pull/2287 ?

This issue has been outstanding for 2 years. The following security advisory is well known about the request package:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

Zeneixe avatar Aug 21 '23 13:08 Zeneixe