Use alternative for request package about browserstack-cypress-cli HOT 4 OPEN

Hey there,

Previously, Browserstack attempted to transition from the deprecated request module to an alternative, namely the Axios module. However, they encountered certain difficulties, particularly the HTTP_PROXY was not honored as expected.

As a result, Browserstack decided not to pursue it further.

It's worth noting that the request module had a significant user base with over 17 million weekly downloads, and at that time, it did not present any security concerns. However, making the necessary changes is part of Browserstack's roadmap.

Thanks.

from browserstack-cypress-cli.

For your information, when installing the 'browserstack-cypress-cli' dependency, 8 vulnerabilities are immediately flagged.

This CLI is part of the Browserstack family, and many Browserstack client corporations, including the one I work for, extensively use Browserstack products. Particularly, my company places significant emphasis on keeping our products free from errors and bugs.

While I can override the 'got' and 'tough-cookie' versions with the improved ones, it is not possible for 'request' as the library has been deprecated since 2020.

I believe the team maintaining this CLI should seriously consider keeping it up-to-date and free from potential security issues this library.

It's evident that the tool is open source, and any of us can make a PR with the changes. Then my question is: Are there enough tests to ensure a smooth replacement of 'request' with 'axios' or the native node 'fetch' ? If necessary, my team can commit to using an alpha version with this library change. What do you think?

from browserstack-cypress-cli.

I've noticed that there is a pull request on the way, preparing the change. #596 🙏🏼 🤞🏼

from browserstack-cypress-cli.