Node-sqlite3: the 'request' dependency is creating a black hole on my hard disk

Created on 18 Apr 2019  路  7Comments  路  Source: mapbox/node-sqlite3

But more seriously, I'm a bit concerned that there are now about 100 dependencies to node-sqlite3 whereas before there were only... 2? 3?

Would you be open to a PR that replaces request with a less risky option?

I've written an API-compatible drop-in replacement for request that has 0 dependencies.

I don't want credit or to increase my download count or even to promote it, but it is something that is far more secure (by virtue of not having 100 dependencies as attack vectors) and you can literally drop it in as a replacement for 99% of use cases:

@root/request.js

It's so small it could just be copy-pasted. No need to even add it as a dependency (again, not trying to promote myself or increase downloads, I just want node-sqlite3 to be "safe" again).

With the various occasions this past year of popular projects that have senseless numbers of dependencies being comprised and having malware installed on people's computers, I'm just very wary of projects with kitchen-sink dependencies like request (no offense to Mikeal or his excellent work).

Most helpful comment

Hi,

Seeing that it's deprecated, let's remove it.
If the proxy issue returns, then we'll figure it out using another way.

All 7 comments

I even haven't manage to find for what purpose 'request' was included into dependencies.

Thanks for the issue, I fully agree with the reasoning.
I did not like this either. I did a bit of investigating into this issue as well a while ago.
cfr #1132

This was a fix that was before my time but I'm open for a PR, but it can't break the issue it was aimed to resolve.

I dug into this a while back and can see request isn't actually used for anything; it appears to be included by mistake... As a correction I now use specifically version 4.0.1. It's relatively minor but I don't like importing an instantly bloated package if I'm deploying to a lean server.

This is a pretty easy fix... I don't know how it's been there for 10+ months.

I dug into this a while back and can see request isn't actually used for anything; it appears to be included by mistake... As a correction I now use specifically version 4.0.1. It's relatively minor but I don't like importing an instantly bloated package if I'm deploying to a lean server.

This is a pretty easy fix... I don't know how it's been there for 10+ months.

It is not included by accident. It was done on purpose, in fact node-pre-gyp will use it.
Seems like this was a quick fix for someone's issue. Apparently there were some HTTP proxy issues with Needle, have these been resolved?

4.0.2 release notes

  • Fixed HTTP proxy support by using request over needle in node-pre-gyp

Please remove request. It is now deprecated, as can be seen at request/request#3142

Hi,

Seeing that it's deprecated, let's remove it.
If the proxy issue returns, then we'll figure it out using another way.

As the PR has been merged, this issue can be closed now

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sampsongao picture sampsongao  路  48Comments

sveinnM picture sveinnM  路  25Comments

Hedva picture Hedva  路  29Comments

hersoncruz picture hersoncruz  路  27Comments

mdouglass picture mdouglass  路  17Comments