You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that your forked package still depends on request-promise-core, which introduces (among other things) a transitive dep on the vulnerable request package. Looking at the code in @cypress/request-promise, though, the only code actually used from request-promise-core is this one function; other than lodash, none of the transitive dependencies are actually used.
Would it be permissible to copy the single file (request2.js) from the deprecated codebase into your forked request-promise, and remove the dep on request-promise-core? This would reduce the installed footprint significantly.
The text was updated successfully, but these errors were encountered:
It looks like issue submission is not enabled for https://github.com/cypress-io/request-promise so I'm submitting the issue here. Hope that's OK.
I noticed that your forked package still depends on
request-promise-core, which introduces (among other things) a transitive dep on the vulnerablerequestpackage. Looking at the code in@cypress/request-promise, though, the only code actually used fromrequest-promise-coreis this one function; other thanlodash, none of the transitive dependencies are actually used.Would it be permissible to copy the single file (
request2.js) from the deprecated codebase into your forkedrequest-promise, and remove the dep onrequest-promise-core? This would reduce the installed footprint significantly.The text was updated successfully, but these errors were encountered: