New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request’s Past, Present and Future #3142
Comments
I fully support this, I think a warning message and/or deprecating new releases is in order. As for the change in process and guidelines, it makes my job a lot easier |
Very well said @mikeal. I'm pinning this issue to gain more visibility. |
Things we might do - please discuss and volunteer!
|
It makes a lot of sense! I will slowly adopt this policy for the |
$ npm audit fix npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN audit fix tar@4.4.8 node_modules/fsevents/node_modules/tar npm WARN audit fix tar@4.4.8 is a bundled dependency of npm WARN audit fix tar@4.4.8 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix tar@4.4.8 It cannot be fixed automatically. npm WARN audit fix tar@4.4.8 Check for updates to the fsevents package. npm WARN audit fix minimist@1.2.0 node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix minimist@1.2.0 is a bundled dependency of npm WARN audit fix minimist@1.2.0 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically. npm WARN audit fix minimist@1.2.0 Check for updates to the fsevents package. npm WARN audit fix minimist@0.0.8 node_modules/fsevents/node_modules/minimist npm WARN audit fix minimist@0.0.8 is a bundled dependency of npm WARN audit fix minimist@0.0.8 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically. npm WARN audit fix minimist@0.0.8 Check for updates to the fsevents package. npm WARN audit fix ini@1.3.5 node_modules/fsevents/node_modules/ini npm WARN audit fix ini@1.3.5 is a bundled dependency of npm WARN audit fix ini@1.3.5 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix ini@1.3.5 It cannot be fixed automatically. npm WARN audit fix ini@1.3.5 Check for updates to the fsevents package. npm WARN audit fix mkdirp@0.5.1 node_modules/fsevents/node_modules/mkdirp npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of npm WARN audit fix mkdirp@0.5.1 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically. npm WARN audit fix mkdirp@0.5.1 Check for updates to the fsevents package. npm WARN deprecated kleur@2.0.2: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit <https://github.com/lukeed/kleur/releases/tag/v3.0.0\> for migration path(s). npm WARN deprecated har-validator@5.1.3: this library is no longer supported npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart() npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated sane@2.5.2: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated source-map-resolve@0.5.2: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated request@2.88.0: request has been deprecated, see request/request#3142 npm WARN deprecated request-promise-native@1.0.8: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142 npm WARN deprecated request-promise@4.2.5: request-promise has been deprecated because it extends the now deprecated request package, see request/request#3142 npm WARN deprecated uuid@3.3.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated mailgun-js@0.22.0: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. npm WARN deprecated gitlab@3.11.4: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated @octokit/app@4.1.0: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated core-js@2.6.10: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. added 1021 packages, and audited 1022 packages in 28s 39 packages are looking for funding run `npm fund` for details ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix` node_modules/table/node_modules/ajv table 3.7.10 - 4.0.2 Depends on vulnerable versions of ajv node_modules/table braces <=2.3.0 Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4 fix available via `npm audit fix --force` Will install jest@28.1.3, which is a breaking change node_modules/jest-cli/node_modules/braces node_modules/jest-config/node_modules/braces node_modules/jest-haste-map/node_modules/braces node_modules/jest-message-util/node_modules/braces node_modules/jest-runtime/node_modules/braces node_modules/test-exclude/node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/jest-cli/node_modules/micromatch node_modules/jest-config/node_modules/micromatch node_modules/jest-haste-map/node_modules/micromatch node_modules/jest-message-util/node_modules/micromatch node_modules/jest-runtime/node_modules/micromatch node_modules/test-exclude/node_modules/micromatch jest-cli 0.10.2 - 24.8.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-resolve-dependencies Depends on vulnerable versions of jest-runner Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of node-notifier Depends on vulnerable versions of yargs node_modules/jest-cli jest 13.3.0-alpha.4eb0c908 - 23.6.0 Depends on vulnerable versions of jest-cli node_modules/jest jest-config 12.1.1-alpha.2935e14d - 25.5.4 Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-environment-node Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch node_modules/jest-config jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-util node_modules/jest-runner jest-runtime 14.1.0 - 24.8.0 Depends on vulnerable versions of babel-plugin-istanbul Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of yargs node_modules/jest-runtime jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0 Depends on vulnerable versions of micromatch Depends on vulnerable versions of sane node_modules/jest-haste-map jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16 Depends on vulnerable versions of micromatch node_modules/jest-message-util expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/expect jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of expect Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util node_modules/jest-jasmine2 jest-snapshot 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/jest-snapshot jest-resolve-dependencies 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-snapshot node_modules/jest-resolve-dependencies jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-message-util node_modules/jest-util jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jest-util Depends on vulnerable versions of jsdom node_modules/jest-environment-jsdom jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-util node_modules/jest-environment-node test-exclude <=4.2.3 Depends on vulnerable versions of micromatch node_modules/test-exclude babel-plugin-istanbul <=5.0.0 Depends on vulnerable versions of test-exclude node_modules/babel-plugin-istanbul babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16 Depends on vulnerable versions of babel-plugin-istanbul node_modules/babel-jest convict <=6.2.2 Severity: critical Prototype Pollution in convict - GHSA-jjf5-wx3j-3fv7 Prototype Pollution in convict - GHSA-x2w5-725j-gf2g Depends on vulnerable versions of moment Depends on vulnerable versions of validator Depends on vulnerable versions of yargs-parser fix available via `npm audit fix --force` Will install convict@6.2.3, which is a breaking change node_modules/convict express-brute * Severity: high Rate Limiting Bypass in express-brute - GHSA-984p-xq9m-4rjw Depends on vulnerable versions of underscore No fix available node_modules/express-brute glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install nodemon@2.0.19, which is a breaking change node_modules/glob-base/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of update-notifier node_modules/nodemon glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97 fix available via `npm audit fix --force` Will install nodemon@2.0.19, which is a breaking change node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier ini <1.3.6 Severity: high Prototype Pollution - GHSA-qqgx-2p2h-9c37 fix available via `npm audit fix` node_modules/ini jsdom <=16.4.0 Severity: moderate Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98 fix available via `npm audit fix --force` Will install jest@28.1.3, which is a breaking change node_modules/jsdom merge <2.1.1 Severity: high Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp fix available via `npm audit fix --force` Will install jest@28.1.3, which is a breaking change node_modules/merge exec-sh <=0.3.1 Depends on vulnerable versions of merge node_modules/exec-sh sane 1.0.4 - 4.0.2 Depends on vulnerable versions of exec-sh Depends on vulnerable versions of watch node_modules/sane watch >=0.14.0 Depends on vulnerable versions of exec-sh node_modules/watch minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - GHSA-xvch-5gv4-984h Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m fix available via `npm audit fix` node_modules/minimist node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp moment <=2.29.3 Severity: high Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4 Inefficient Regular Expression Complexity in moment - GHSA-wc69-rhjr-hc9g fix available via `npm audit fix --force` Will install convict@6.2.3, which is a breaking change node_modules/convict/node_modules/moment netmask <=2.0.0 Severity: critical Improper parsing of octal bytes in netmask - GHSA-4c7m-wxvm-r7gc netmask npm package vulnerable to octal input data - GHSA-pch5-whg9-qr2r fix available via `npm audit fix --force` Will install mailgun-js@0.6.7, which is a breaking change node_modules/netmask pac-resolver <=4.2.0 Depends on vulnerable versions of netmask node_modules/pac-resolver pac-proxy-agent <=4.1.0 Depends on vulnerable versions of pac-resolver node_modules/pac-proxy-agent proxy-agent 1.1.0 - 4.0.1 Depends on vulnerable versions of pac-proxy-agent node_modules/proxy-agent mailgun-js >=0.6.8 Depends on vulnerable versions of proxy-agent node_modules/mailgun-js node-notifier <8.0.1 Severity: moderate OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p fix available via `npm audit fix --force` Will install jest@28.1.3, which is a breaking change node_modules/node-notifier parse-link-header <2.0.0 Severity: high Uncontrolled Resource Consumption in parse-link-header - GHSA-q674-xm3x-2926 fix available via `npm audit fix --force` Will install gitlab@14.2.2, which is a breaking change node_modules/parse-link-header gitlab 3.0.0 - 4.5.1 Depends on vulnerable versions of parse-link-header node_modules/gitlab shelljs <=0.8.4 Severity: high Improper Privilege Management in shelljs - GHSA-4rq4-32rv-6wp6 Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj fix available via `npm audit fix --force` Will install standard@17.0.0, which is a breaking change node_modules/shelljs eslint 1.4.0 - 4.0.0-rc.0 Depends on vulnerable versions of shelljs node_modules/eslint eslint-plugin-import 1.0.0-beta.0 - 2.5.0 Depends on vulnerable versions of eslint node_modules/eslint-plugin-import standard 3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3 Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-plugin-import Depends on vulnerable versions of eslint-plugin-react node_modules/standard eslint-plugin-react 6.0.0-alpha.1 - 7.0.1 Depends on vulnerable versions of eslint node_modules/eslint-plugin-react tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw fix available via `npm audit fix` node_modules/tar underscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq No fix available node_modules/underscore validator <13.7.0 Severity: moderate Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5 fix available via `npm audit fix` node_modules/validator yargs-parser 6.0.0 - 13.1.1 Severity: moderate Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp fix available via `npm audit fix --force` Will install convict@6.2.3, which is a breaking change node_modules/yargs-parser node_modules/yargs/node_modules/yargs-parser yargs 8.0.0-candidate.0 - 12.0.5 Depends on vulnerable versions of yargs-parser node_modules/yargs 59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency.
why do l keep gettin error if l want to install a project from github using npm? |
아래와 같은 메시지가 나와서 randomstring 버전을 1.2.2로 업데이트 하였다. npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142 npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
mikeal commentedMar 30, 2019
•
edited
Before I go into the details and reasoning I’ll get straight to the point. The most valuable thing
request
can do for the JavaScript ecosystem is to go into maintenance mode and stop considering new features or major releases.Apologies in advance to the other committers on
request
that have been doing their best to improve it, but it’s for the best.2009
The first version of
request
was one of the first modules ever created for the Node.js ecosystem. The earliest versions were written to APIs that pre-date the standard callback interface, streams, node_modules and npm. For the first few years,request
and Node.js evolved together, each learning from the other. As Node.js improved and migrated core interfaces so did request. As request adopted changes to the core http library and streams it also informed improvements like thepipe
event (which enabledrequest
’s one line proxy) and one of Core http’s many re-writes (the one I had to write).npm
request
was one of the first modules added to the npm registry. As npm grew so did dependence onrequest
. Even now, whennpm
is used far more for front-end than back-end work,request
remains one of the most depended on modules in the registry. As I write this, 41K modules depend on request and it is downloaded 14 million times a week.The place
request
has in the Node.js ecosystem is no longer one of an innovator but of an incumbent. If you Google for how to do something with HTTP in Node.js the examples are likely to showrequest
as the client andexpress
as the server. This has two notably bad effects.It’s much harder for new libraries accomplishing similar tasks to gain adoption because of the incumbent position
request
holds over the ecosystem. It’s also very hard to change request in any meaningful way as the change not only may not be adopted by the majority of its dependents but it would put it out of alignment with the thousands of blog posts and stack overflow responses that userequest
.Modern JavaScript
The last few years have been dramatic ones in JavaScript. Features people had talked about for years went from ideas, to standards, to features you can reliably depend on in most environments. The speed at which these have been adopted is staggering, mostly thanks to auto-updating browsers and an aggressive Node.js release schedule.
The patterns at the core of
request
are out of date. A few people might argue with that assessment, and I know who they are so I won’t be surprised, but it’s true. I have often been skeptical of the impact some of these features would have only to find myself adopting them wholesale not long after they are available in only the latest release of Node.js.There’s a transition happening now in the ecosystem to these patterns. How messy that will be is still up in the air and I’m not going to try and read the tea leafs and figure out what the future looks like in that regard. The question for
request
is “Do we try to survive through that transition?” A year ago, I thought the answer was obvious and that we would, but now I’m convinced of the opposite.A version of
request
written to truly embrace these new language patterns is, effectively, a new module. I’ve explored this space a bit already and have a project I’m quite happy with but it is incompatible withrequest
in every conceivable way. What’s the value in a version ofrequest
that is incompatible with the old patterns yet not fully embracing the new ones? What’s the point in being partially compatible when there’s a whole world of new modules, written by new developers, that are re-thinking these problems with these patterns in mind?The best thing for these new modules is for
request
to slowly fade away, eventually becoming just another memory of that legacy stack. Taking the positionrequest
has now and leveraging it for a bigger share of the next generation of developers would be a disservice to those developers as it would drive them away from better modules that don’t have the burden ofrequest
’s history.Maintenance Mode
Here’s the plan.
request
will stop accepting new features.request
will stop considering breaking changes.The text was updated successfully, but these errors were encountered: