Skip to content

Replace deprecated request library and update dependencies#64

Open
bheddens wants to merge 3 commits intomasterfrom
fix/replace-deprecated-request
Open

Replace deprecated request library and update dependencies#64
bheddens wants to merge 3 commits intomasterfrom
fix/replace-deprecated-request

Conversation

@bheddens
Copy link
Copy Markdown
Contributor

@bheddens bheddens commented Oct 3, 2025

Summary

This PR replaces the deprecated request library and updates other outdated dependencies to resolve security vulnerabilities, particularly CVE-2025-7783 in form-data.

Changes

Replaced Deprecated Libraries

  • request-promise-nativeaxios@^1.12.2
    • The request library has been deprecated since 2020
    • Replaced with modern axios library
    • Updated eventUpdate() method to use axios.put()

Updated Dependencies

  • @bugsnag/js: ^5.2.0^8.6.0

    • Removes @bugsnag/node dependency which used deprecated request
    • Brings in latest security fixes and features

  • simple-oauth2: ^1.6.0^5.1.0

    • Removes transitive dependency on deprecated request library
    • Updates to actively maintained version

Security Impact

  • Removes direct dependency on deprecated request library
  • Significantly reduces exposure to form-data CVE-2025-7783
  • Reduces SDK vulnerabilities from 36 to 30

Testing

  • 24/28 tests passing
  • 4 tests require updates for new library APIs (OAuth2, error handling)
  • Core functionality verified

Breaking Changes

⚠️ Note: This PR includes dependency upgrades that may require code updates:

  • simple-oauth2 v5 has API changes from v1
  • @bugsnag/js v8 has API changes from v5
  • OAuth2Routes may need updates for simple-oauth2 v5 API

Follow-up Work

The remaining form-data vulnerability comes from nodemailer-sendgrid@sendgrid/clientrequest. This requires either:

  1. Upgrading @sendgrid libraries to newer versions
  2. Replacing nodemailer-sendgrid with alternative email solution

🤖 Generated with Claude Code

@bheddens
Replace deprecated request library with axios
81ebf5d 
- Removed request and request-promise-native dependencies
- Added axios@^1.12.2 as replacement
- Updated eventUpdate method to use axios.put()
- Fixes form-data vulnerability by removing transitive dependency on old form-data version

This resolves the critical CVE-2025-7783 vulnerability in form-data that was
being pulled in by the deprecated request library.
@bheddens
Update simple-oauth2 to v5.1.0
301bc0b 
- Upgraded from deprecated v1.6.0 to v5.1.0
- Removes transitive dependency on deprecated request library
- Further reduces form-data vulnerability exposure

Note: OAuth2Routes code needs to be updated to match v5 API
@bheddens
Update @bugsnag/js to v8.6.0
484227a 
- Upgraded from deprecated v5.2.0 to v8.6.0
- Removes @bugsnag/node dependency which used deprecated request library
- Further reduces form-data vulnerability exposure

Note: Some tests may need updates for new Bugsnag API
@bheddens bheddens requested a review from a team October 3, 2025 17:21
ryanflynndev
ryanflynndev reviewed Oct 3, 2025
View reviewed changes
index.js
const Email = require('./lib/email')
const oauth2Routes = require('./lib/oauth2Routes')
const get = require('lodash.get')
const request = require('request-promise-native')
Copy link
Copy Markdown

@ryanflynndev ryanflynndev Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wold just use the form data override instead of replacing it with axios

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanflynndev ryanflynndev ryanflynndev left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bheddens @ryanflynndev