http-assert icon indicating copy to clipboard operation
http-assert copied to clipboard
verified publisher icon jshttp

Update the dependency `http-errors` to v2

Open jaydenseric opened this issue 1 year ago • 7 comments

The dependency http-errors is a major version out of date:

https://github.com/jshttp/http-assert/blob/b072a1b903d055a7d40dbd7a54cd74e517b56e52/package.json#L13

This is causing problems with multiple versions of HTTP errors floating around codebases, where some are not instanceof each version's HTTP error class.

jaydenseric avatar Aug 23 '24 05:08 jaydenseric

It's also an anti-pattern to use ~ instead of ^ for the version range.

jaydenseric avatar Aug 23 '24 05:08 jaydenseric

Also, http-errors 2.0.0 bumps dependency for legacy depd 1.1.2 which raises security warnings due to eval:

 (!) Use of eval is strongly discouraged
 https://rollupjs.org/troubleshooting/#avoiding-eval
 ../../node_modules/.pnpm/[email protected]/node_modules/depd/index.js
 408:
 409:    // eslint-disable-next-line no-eval
 410:   var deprecatedfn = eval('(function (' + args + ') {\n' +
                           ^
 411:     '"use strict"\n' +
 412:     'log.call(deprecate, message, site)\n' +

steve-o avatar Sep 17 '24 14:09 steve-o

Any news?

mahnunchik avatar Dec 12 '24 23:12 mahnunchik

@jonchurch could you please take a look at this issue?

mahnunchik avatar Aug 22 '25 08:08 mahnunchik

@Phillip9587 @UlisesGascon could anyone help to figure this out?

mahnunchik avatar Sep 03 '25 18:09 mahnunchik

Any news?

mahnunchik avatar Nov 14 '25 15:11 mahnunchik

I've opened https://github.com/jshttp/http-assert/pull/37 to resolve this. It would be great if someone is able to merge and release.

jamesopstad avatar Dec 08 '25 20:12 jamesopstad