Security Vulnerability Warning (Medium) & Deprecated Dependency (request), Alternatives to tough-cookie?

[kunalawari1999]

Noticed that the tough-cookie package is currently flagged with a medium severity vulnerability. Additionally, one of its key consumers, the request module, has been officially deprecated.
Given these two concerns:

1. Medium vulnerability warning associated with tough-cookie.
2. Deprecated usage of the request module, which relies on tough-cookie.
   https://www.npmjs.com/package/request/v/2.88.2

I’d like to ask:

• Are there any plans to patch or address the reported vulnerability?
• Are there recommended alternatives to tough-cookie for cookie management that align better with modern and actively maintained libraries?

[tglman]

Hi,

The maintenance of this project is on a request base, also with the reduced skill we have right now on this I'm more than happy to review and accept third party pull requests that solve this problems.

It may be possible to address the vulnerability just updating the dependency, in the long term I will try to enable the dependabot on this repo.

Regards

[kunalawari1999]

Hello,
I would like to suggest updating the orientjs module to use axios instead of the deprecated request library.
We replaced the internal usage of request with axios in the REST transport implementation and verified the functionality thoroughly.
All orientjs operations continued to work as expected with axios.
Additionally, we ran the npm test (as defined in the orientjs package.json) for both versions — the original (using request) and the modified version (using axios).
The test results show no regressions and a slight improvement in overall code coverage, confirming that axios is a stable and reliable replacement for request.
The updated package (using axios instead of request) is attached for reference, along with the test result reports for both the request and axios versions.

orientjs npm tests.zip
orientjs-develop_updated.zip

[tglman]

Hi,

Thanks to work trough this, is there any reason why you are sending zip archives here and not doing a PR ?

[kunalawari1999]

Hi,
I initially shared the ZIP archives to provide a quick preview of the changes and test results for review, but I can absolutely prepare a proper pull request with the axios migration and related test updates. I just want to be sure about test results from your side before doing this.

[kunalawari1999]

Hi,
Created pull request for replace request module with axios.
#467