Modernize: Drop Node < 18, replace postman-request with axios #376
Description
The project currently depends on postman-request, which is unmaintained, and CI tests against Node 12/14/16, all of which are EOL.
I'd like to propose modernizing the project:
- Drop Node 12/14/16 support, require Node >= 18 (add
enginesfield topackage.json) - Replace
postman-requestwithaxios— a widely maintained, modern HTTP client - Add
oauth-1.0apackage for OAuth 1.0a support (previously bundled inpostman-request) - Add
form-datapackage for multipart form handling - Replace
rewirewithnockfor HTTP-level test mocking - Update CI to test on Node 18, 20, and 22
- Upgrade GitHub Actions to
checkout@v4andsetup-node@v4 - Upgrade all Babel and dev dependencies to current versions
- Add
.mocharc.ymlfor cleaner Mocha configuration - Remove dead david-dm.org badge links from README (service is defunct)
I have a working branch with all of these changes and have opened PR #377.
Why this change is needed
Security
The current postman-request dependency tree pulls in packages with known security vulnerabilities:
- tough-cookie prototype pollution (CVE-2023-26136) — reported in bump postman request to solve tough cookie vulnerability #365 and Upgrade postman-request to v2.88.1-postman.33 #366
- har-validator is deprecated and pulls in old versions of
ajvwith known issues - punycode deprecation warnings on newer Node.js versions — reported in Deprecation Warning punycode #371
Replacing the entire postman-request dependency tree with axios (which has only 3 dependencies) eliminates all of these transitive vulnerabilities at once rather than playing whack-a-mole with individual sub-dependency bumps.
Node.js end-of-life
- Node 12 reached EOL on April 30, 2022
- Node 14 reached EOL on April 30, 2023
- Node 16 reached EOL on September 11, 2023
The Node.js project is planning to issue a blanket CVE for all EOL versions to flag that running these versions exposes applications to unpatched vulnerabilities (e.g., DNS hijack via CVE-2021-22931, HTTP/2 use-after-free via CVE-2021-22940, certificate verification bypasses via CVE-2021-44531/44532/44533).
Ecosystem health
postman-requesthas 21 direct dependencies compared to axios's 3 — raised in Package size seems to be a bit excessive #332- The original
requestlibrary was deprecated in March 2019;postman-requestwas adopted as a stopgap in Moving to postman-request #331 - Moving to axios was first proposed in Moving from request to axios #348 (Oct 2022), where contributor @Seth10001 approved the direction. In that same issue, @nitk-shashankshah reported their security scanner was flagging tough-cookie vulnerabilities in Dec 2023
- The
punycodedeprecation warning (Deprecation Warning punycode #371) is caused bypostman-request's transitive dependency on@postman/tough-cookieandhar-validator
Other benefits
- Smaller install footprint: axios has far fewer transitive dependencies, reducing install size and audit surface
- Modern API: axios natively supports Promises and async/await, aligning with modern JavaScript patterns
- Active maintenance: axios has 104M+ weekly downloads and an active maintainer community
- GitHub Actions upgrades:
checkout@v2andsetup-node@v1are outdated and missing security fixes present in v4
Related issues
This PR addresses or supersedes the following open issues:
- Moving from request to axios #348 — Moving from request to axios (proposed Oct 2022)
- Package size seems to be a bit excessive #332 — Package size seems to be a bit excessive
- bump postman request to solve tough cookie vulnerability #365 — Bump postman-request to solve tough-cookie vulnerability
- Upgrade postman-request to v2.88.1-postman.33 #366 — Upgrade postman-request to v2.88.1-postman.33
- Deprecation Warning punycode #371 — Deprecation Warning punycode
And builds on the historical context from:
- Moving to postman-request #331 — Moving to postman-request (the original stopgap from
request)