request module (jsforce dependency) is deprecated

[techieshark]

The request package has been deprecated: request/request#3142. Additionally, its latest published version, 2.88.2, adds a deprecation warning whenever it is npm-installed. I don't think this is an issue immediately for jsforce but presumably will be should that package be updated in the lockfile.

Alternatives have been listed at: request/request#3143

[lcampos]

Does anyone know if an existing maintainer (or someone else) is looking into this ?

[dorr-home]

This issue has been open for a long time and now is subject to security vulnerability (see https://nvd.nist.gov/vuln/detail/CVE-2023-28155).

[cristiand391]

quick update:
request has been replaced by node-fetch in the 2.0 branch for a long time. We will consider removing node-fetch from jsforce once node's fetch stabilizes (node v20 maybe?: nodejs/node#45684).

aside from security fixes, we aren't doing any feature work on jsforce v1. Will close this once jsforce v3 is GA.

[MaPDores]

Hi @cristiand391,

Since this is a security vulnerability, do you have any expected date for the fix to be released?

[cristiand391]

@MaPDores we are currently working on finishing jsforce v3 and don't plan to fix this in v1, see:
#1360

The reason is that v2 was already refactored to use node-fetch and we don't have the bandwidth to backport it to v1 in a safe way (test jobs in master are old/broken, Salesforce CLI e2e runs on jsforce v2 branches but don't work on v1).

We don't have a hard deadline for the GA, but I would say about ~1 month.

[omril1]

This has been like that for a long time, Is there a workaround for this?

[cristiand391]

This should be fixed in v3, see: #1529