As @devjsx already mentioned on #54, the request package is deprecated and has a vulnerable version of json-schema package:
request@2.88.2 requires json-schema@0.2.3 via a transitive dependency on jsprim@1.4.1
The funny thing is that moleculer-cli doesn't actually use the request package, so we can simply remove it.
It is going to stay in dev dependencies (thanks to coverall, which also looks abandoned), but that's not critical, as at least it won't be published into the moleculer-cli npm package bundle.
P.S. don't worry about dev: true changes in the package.lock file, it was made by npm itself during the npm uninstall request command. You can read details here.
As @devjsx already mentioned on #54, the
request
package is deprecated and has a vulnerable version ofjson-schema
package:The funny thing is that
moleculer-cli
doesn't actually use therequest
package, so we can simply remove it. It is going to stay in dev dependencies (thanks to coverall, which also looks abandoned), but that's not critical, as at least it won't be published into themoleculer-cli
npm package bundle.P.S. don't worry about
dev: true
changes in thepackage.lock
file, it was made by npm itself during thenpm uninstall request
command. You can read details here.