As @devjsx already mentioned on #54, the request package is deprecated and has a vulnerable version of json-schema package:
request@2.88.2 requires json-schema@0.2.3 via a transitive dependency on jsprim@1.4.1
The funny thing is that moleculer-cli doesn't actually use the request package, so we can simply remove it.
It is going to stay in dev dependencies (thanks to coverall, which also looks abandoned), but that's not critical, as at least it won't be published into the moleculer-cli npm package bundle.
P.S. don't worry about dev: true changes in the package.lock file, it was made by npm itself during the npm uninstall request command. You can read details here.
As @devjsx already mentioned on #54, the
requestpackage is deprecated and has a vulnerable version ofjson-schemapackage:The funny thing is that
moleculer-clidoesn't actually use therequestpackage, so we can simply remove it. It is going to stay in dev dependencies (thanks to coverall, which also looks abandoned), but that's not critical, as at least it won't be published into themoleculer-clinpm package bundle.P.S. don't worry about
dev: truechanges in thepackage.lockfile, it was made by npm itself during thenpm uninstall requestcommand. You can read details here.