Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

request has gone into maintenance mode. Maybe replace it. #2851

Open
Tchiller opened this issue Feb 15, 2020 · 19 comments
Open

request has gone into maintenance mode. Maybe replace it. #2851

Tchiller opened this issue Feb 15, 2020 · 19 comments

Comments

@Tchiller
Copy link

Tchiller commented Feb 15, 2020

Dear team,

thanks for your work!

I would like to report that the package request which you are loading has went into maintenance mode request/request#3142

Therefore, yarn is currently giving me:

warning node-sass > request@2.88.2: request has been deprecated, see request/request#3142
warning node-sass > node-gyp > request@2.88.2: request has been deprecated, see request/request#3142

Maybe you find time (and a good replacement) to replace it for your upcoming major release.
Thanks!

@saper
Copy link
Member

saper commented Feb 15, 2020

That is not a big issue. We could possibly drop the usage of request completely but this could mean some issues for users connecting via proxy.

@cekvenich
Copy link

ftw I used node-fetch

@nschonni
Copy link
Contributor

nschonni commented Feb 15, 2020

As your message shows, "request" is also used by node-gyp, so removing it here wouldn't remove the transitive dependency or that second warning. Updating node-gyp is something we're not looking at till the next major version because of breaking changes, but it looks like the latest node-gyp is also still using request https://github.com/nodejs/node-gyp/blob/dab030536b6a70ecae37debc74c581db9e5280fd/package.json#L31

@nschonni
Copy link
Contributor

ftw I used node-fetch

Doing a quick look shows it doesn't have any support for proxies, and wouldn't be a suitable replacement

@cekvenich
Copy link

@nschonni Thanks for a response and a wonderful lib used by me and thousands.

I do think it puts pressure on gyp if they are the only ones not solving it. However, I have no awareness of the effort, so no matter what, thank you for your efforts!

@xzyfer
Copy link
Contributor

xzyfer commented Feb 17, 2020

We've looked at this a few times in the past. Previously we've been blocked on backwards compatibility since most request alternatives would require us to drop legacy Node support.

With v5 coming up we're in a position to make this breaking change. I've re-surveyed the http library landscape based the following resources:

The most viable alternatives IMHO in order of preference are:

There are some shinier, newer options but most refuse to support proxies out right. For this reason make-fetch-happen is the most appealing as it has robust proxy support as a result of being used within npm itself.

@SampsonCrowley
Copy link

@xzyfer just to throw my two cents in, I don't think backwards compatibility should be a factor whatsoever for a major release when it means keeping deprecated packages. My personal vote would be to remove the dependency completely, and people who rely on legacy node versions (who probably aren't updating a lot of things anyways) can use the older versions. I'd also say proxy support should be added in its own separately maintained package if it causes this much headache in updating the main package to not rely on deprecated packages

@nhustak

This comment has been minimized.

@saper

This comment has been minimized.

@ghost
Copy link

ghost commented May 2, 2020

Just got it myself, any update on this or.... ? Thanks

@Kike-Ramirez
Copy link

Just got it myself too, any plan to update it? Thank you!

@Zekfad
Copy link

Zekfad commented Jun 16, 2020

@saper as a solution for proxy you could use standard node API and pass a hook for Agent, so people could easily use proxy-agent.

@mahnunchik
Copy link

One more deprecation from request...

npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

@Alessandro-Barbieri
Copy link

Any progress on this?

@xzyfer
Copy link
Contributor

xzyfer commented Feb 12, 2021 via email

@SampsonCrowley
Copy link

@xzyfer what's wrong with make-fetch-happen or axios or a hook for proxy-agent?

I still return to proxy support should be its own separate add-on if it causes this much of a problem in getting rid of deprecated insecure packages for the majority of users

@ObserverOfTime
Copy link

FWIW node-gyp has replaced request with make-fetch-happen

@easingthemes
Copy link

According to #2851 (comment) and #2851 (comment) it's obvious that make-fetch-happen is final choice. Can someone please confirm this, to make it clear for some future PR's, eg to prevent unnecessary work, like #2961

@dkarpov-w
Copy link

Hi. I need some hit which node-sass version to use. 7.0.3 still depends on outdate request package.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests