Dependency on deprecated request package

[Uninen]

How frequently does the bug occur?

All the time

Description

When installing realm package, yarn warns about deprecated request-package (that has been deprecated since Mar 2019!). The related dependencies have security issues.

Stacktrace & log output

warning realm > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
warning realm > request > [email protected]: this library is no longer supported
warning realm > request > [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

Can you reproduce the bug?

Yes, always

Reproduction Steps

1. yarn add realm

Version

10.11.0

What SDK flavour are you using?

MongoDB Realm (i.e. Sync, auth, functions)

Are you using encryption?

Yes, using encryption

Platform OS and version(s)

macOS

Build environment

Node v16.13.1

Cocoapods version

No response

[kneth]

@Uninen Thank you for reporting.

git blame package.json tells me that I added the dependency back in 2018 🤣 . I don't think it is needed anymore but we need to verify.

[000xuandu]

Please fix it. Thanks!

[Raspberry42]

It's not fixed. Can I have problems if I use realm?

[takameyer]

@Raspberry42 It's not going to be a problem. It has been removed as a dependency in our upcoming v12 and it only currently used in devDependencies. That being said, we could probably remove it from the v11 dependencies without any issue.

[Raspberry42]

Thank you ;)