Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use alternative for request package #587

Open
techiekalpesh opened this issue May 22, 2023 · 4 comments
Open

Use alternative for request package #587

techiekalpesh opened this issue May 22, 2023 · 4 comments

Comments

@techiekalpesh
Copy link

The browserstack-cypress-cli makes use of the request package (2.88.2) which has been deprecated now. Also the request package (2.88.2) had published 3 years back and after that no new version has been published until today.

Is there any plans to change this package and use another one instead?
@grandEL007
Copy link

Hey there,

Previously, Browserstack attempted to transition from the deprecated request module to an alternative, namely the Axios module. However, they encountered certain difficulties, particularly the HTTP_PROXY was not honored as expected.

As a result, Browserstack decided not to pursue it further.

It's worth noting that the request module had a significant user base with over 17 million weekly downloads, and at that time, it did not present any security concerns. However, making the necessary changes is part of Browserstack's roadmap.

Thanks.

@xcafebabe
Copy link

For your information, when installing the 'browserstack-cypress-cli' dependency, 8 vulnerabilities are immediately flagged.

image

This CLI is part of the Browserstack family, and many Browserstack client corporations, including the one I work for, extensively use Browserstack products. Particularly, my company places significant emphasis on keeping our products free from errors and bugs.

While I can override the 'got' and 'tough-cookie' versions with the improved ones, it is not possible for 'request' as the library has been deprecated since 2020.

I believe the team maintaining this CLI should seriously consider keeping it up-to-date and free from potential security issues this library.

It's evident that the tool is open source, and any of us can make a PR with the changes. Then my question is: Are there enough tests to ensure a smooth replacement of 'request' with 'axios' or the native node 'fetch' ? If necessary, my team can commit to using an alpha version with this library change. What do you think?

@xcafebabe
Copy link

I've noticed that there is a pull request on the way, preparing the change. #596 🙏🏼 🤞🏼

@droca
Copy link

droca commented May 14, 2024

One year later, this is still open and the PR for the fix is still in progress and having conflicts.
This is definitely something important to fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xcafebabe @droca @techiekalpesh @grandEL007