I noticed that your forked package still depends on request-promise-core, which introduces (among other things) a transitive dep on the vulnerable request package. Looking at the code in @cypress/request-promise, though, the only code actually used from request-promise-core is this one function; other than lodash, none of the transitive dependencies are actually used.
Would it be permissible to copy the single file (request2.js) from the deprecated codebase into your forked request-promise, and remove the dep on request-promise-core? This would reduce the installed footprint significantly.
It looks like issue submission is not enabled for https://github.com/cypress-io/request-promise so I'm submitting the issue here. Hope that's OK.
I noticed that your forked package still depends on
request-promise-core, which introduces (among other things) a transitive dep on the vulnerablerequestpackage. Looking at the code in@cypress/request-promise, though, the only code actually used fromrequest-promise-coreis this one function; other thanlodash, none of the transitive dependencies are actually used.Would it be permissible to copy the single file (
request2.js) from the deprecated codebase into your forkedrequest-promise, and remove the dep onrequest-promise-core? This would reduce the installed footprint significantly.