npm: Change request to other packages

elm / compiler

Compiler for Elm, a functional language for reliable webapps.

https://elm-lang.org/

BSD 3-Clause "New" or "Revised" License

7.51k stars 656 forks source link

npm: Change request to other packages #2229

Closed massongit closed 11 months ago

massongit commented 2 years ago

The npm package request is under maintenance mode: https://github.com/request/request/issues/3142 Therefore, you need to change request to other packages.

Alternative libraries to request: https://github.com/request/request/issues/3143

github-actions[bot] commented 2 years ago

Thanks for reporting this! To set expectations:

Issues are reviewed in batches, so it can take some time to get a response.
Ask questions in a community forum. You will get an answer quicker that way!
If you experience something similar, open a new issue. We like duplicates.

Finally, please be patient with the core team. They are trying their best with limited resources.

lydell commented 2 years ago

esbuild (a popular build tool for JavaScript and TypeScript written in Go) recently switched to an approach that avoids dependencies and postinstall scripts altogether. The creator of esbuild wrote down a very nice explanation of the technique and its pros and cons here:

https://github.com/evanw/esbuild/pull/1621

swc (a similar tool written in Rust) already used that technique, too.

This might be viable for Elm too. Leaving this here in case it helps future decisions!

sporto commented 1 year ago

Request 2.88.2 depends on form-data 2.3.3, which depends on json-schema 0.2.3

json-schema 0.2.3 has a critical vulnerability: https://github.com/advisories/GHSA-896r-f27r-55mw

Which is a problem for using Elm. If you org needs to comply with security audits (like us).

So it would be really good to change this

lydell commented 1 year ago

FYI: The request dependency is being removed in https://github.com/elm/compiler/pull/2287

adrian-gomez commented 1 year ago

hi @lydell since https://github.com/elm/compiler/pull/2287 is no longer going to be completed (in the near future) would it be possible to:

port the part of the code that replaced request
replace request with one of its alternatives

I'm willing to help or take the lead on any of those options.

lydell commented 1 year ago

@adrian-gomez I’m not sure I understand what you mean. Could we chat about it on Slack perhaps?

Zeneixe commented 1 year ago

Do you plan to merge https://github.com/elm/compiler/pull/2287 ?

This issue has been outstanding for 2 years. The following security advisory is well known about the request package:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).