Security vulnerability in peer dependency request

[austince]

Would you accept a PR that upgraded the request peer dependency to ^2.68 in order to fix this security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

[analog-nico]

I think we need to make a balance here. Increasing the version could mean a breaking change for some projects. And on the other side it is the job of the project anyway to install request. After all it’s defined as a peer dependency. What’s your perspective?

[austince]

Hey @analog-nico, totally see your point, though I think it might be riskier to leave it as it can easily lead people to install the vulnerable version, and then only upgrade afterward if something like GitHub or npm notifies them.

If we're worried about breaking changes, what do you think about bumping the min version to ^2.68 and releasing it as a major release?

[analog-nico]

I have a change in the pipeline that will be a breaking change as well. So let me include it with it then. May take a while though.

[austince]

Ok, sounds good - thanks! Any place that we can track that?

[jjwilliams42]

Has anything moved with this issue? This is the last peer dependency we need to update to get rid of all security vulnerabilities.