But more seriously, I'm a bit concerned that there are now about 100 dependencies to node-sqlite3 whereas before there were only... 2? 3?
Would you be open to a PR that replaces request with a less risky option?
I've written an API-compatible drop-in replacement for request that has 0 dependencies.
I don't want credit or to increase my download count or even to promote it, but it is something that is far more secure (by virtue of not having 100 dependencies as attack vectors) and you can literally drop it in as a replacement for 99% of use cases:
It's so small it could just be copy-pasted. No need to even add it as a dependency (again, not trying to promote myself or increase downloads, I just want node-sqlite3 to be "safe" again).
With the various occasions this past year of popular projects that have senseless numbers of dependencies being comprised and having malware installed on people's computers, I'm just very wary of projects with kitchen-sink dependencies like request (no offense to Mikeal or his excellent work).
I even haven't manage to find for what purpose 'request' was included into dependencies.
Thanks for the issue, I fully agree with the reasoning.
I did not like this either. I did a bit of investigating into this issue as well a while ago.
cfr #1132
This was a fix that was before my time but I'm open for a PR, but it can't break the issue it was aimed to resolve.
I dug into this a while back and can see request isn't actually used for anything; it appears to be included by mistake... As a correction I now use specifically version 4.0.1. It's relatively minor but I don't like importing an instantly bloated package if I'm deploying to a lean server.
This is a pretty easy fix... I don't know how it's been there for 10+ months.
I dug into this a while back and can see request isn't actually used for anything; it appears to be included by mistake... As a correction I now use specifically version 4.0.1. It's relatively minor but I don't like importing an instantly bloated package if I'm deploying to a lean server.
This is a pretty easy fix... I don't know how it's been there for 10+ months.
It is not included by accident. It was done on purpose, in fact node-pre-gyp will use it.
Seems like this was a quick fix for someone's issue. Apparently there were some HTTP proxy issues with Needle, have these been resolved?
4.0.2 release notes
request over needle in node-pre-gypPlease remove request. It is now deprecated, as can be seen at request/request#3142
Hi,
Seeing that it's deprecated, let's remove it.
If the proxy issue returns, then we'll figure it out using another way.
As the PR has been merged, this issue can be closed now
Most helpful comment
Hi,
Seeing that it's deprecated, let's remove it.
If the proxy issue returns, then we'll figure it out using another way.