request · Jan 9, 2019 · Jan 14, 2019 · Feb 14, 2019 · Feb 14, 2019 · Feb 14, 2019
Showing with 37 additions and 10 deletions.

+1 −1 .publishrc

+6 −0 .travis.yml

+1 −1 LICENSE

+24 −3 README.md

+4 −4 package.json

+1 −1 test/spec/request-test.js
diff --git a/.publishrc b/.publishrc
@@ -1,6 +1,6 @@
 {
   "validations": {
-    "vulnerableDependencies": true,
+    "vulnerableDependencies": false,
     "uncommittedChanges": true,
     "untrackedFiles": true,
     "sensitiveData": true,

diff --git a/.travis.yml b/.travis.yml
@@ -11,7 +11,13 @@ matrix:
     env: V_REQUEST=latest
   - node_js: "6"
     env: V_REQUEST=latest
+  - node_js: "8"
+    env: V_REQUEST=latest
+  - node_js: "10"
+    env: V_REQUEST=latest
 
 before_install:
   - npm install tough-cookie
   - npm install request@$V_REQUEST
+
+install: npm install
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 ISC License
 
-Copyright (c) 2017, Nicolai Kamenzky and contributors
+Copyright (c) 2020, Nicolai Kamenzky and contributors
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

diff --git a/README.md b/README.md
@@ -10,11 +10,19 @@
 [![Dependency Status](https://img.shields.io/david/request/request-promise-native.svg?style=flat-square&maxAge=2592000)](https://david-dm.org/request/request-promise-native)
 [![Known Vulnerabilities](https://snyk.io/test/npm/request-promise-native/badge.svg?style=flat-square&maxAge=2592000)](https://snyk.io/test/npm/request-promise-native)
 
-This package is similar to [`request-promise`](https://www.npmjs.com/package/request-promise) but uses native ES6 promises.
+# Deprecated!
+
+As of Feb 11th 2020, [`request`](https://github.com/request/request) is fully deprecated. No new changes are expected to land. In fact, none have landed for some time. This package is also deprecated because it depends on `request`.
+
+Fyi, here is the [reasoning of `request`'s deprecation](https://github.com/request/request/issues/3142) and a [list of alternative libraries](https://github.com/request/request/issues/3143).
+
+---
+
+This package is similar to [`request-promise`](https://www.npmjs.com/package/request-promise) but uses native ES6+ promises.
 
 Please refer to the [`request-promise` documentation](https://www.npmjs.com/package/request-promise). Everything applies to `request-promise-native` except the following:
-- Instead of using Bluebird promises this library uses native ES6 promises.
-- Mind that native ES6 promises have fewer features than Bluebird promises do. In particular, the `.finally(...)` method is not available.
+- Instead of using Bluebird promises this library uses native ES6+ promises.
+- Native ES6+ promises may have fewer features than Bluebird promises do. In particular, the `.finally(...)` method was not included until Node v10.
 
 ## Installation
 
@@ -49,6 +57,19 @@ If you want to debug a test you should use `gulp test-without-coverage` to run a
 
 ## Change History
 
+- v1.0.9 (2020-07-21)
+    - Security fix: bumped `request-promise-core` which bumps `lodash` to `^4.17.19` following [this advisory](https://www.npmjs.com/advisories/1523).
+- v1.0.8 (2019-11-03)
+    - Security fix: bumped `request-promise-core` which bumps `lodash` to `^4.17.15`. See [vulnerabilty reports](https://snyk.io/vuln/search?q=lodash&type=npm).
+      *(Thanks to @aw-davidson for reporting this in issue [#49](https://github.com/request/request-promise-native/issues/49).)*
+- v1.0.7 (2019-02-14)
+    - Corrected mistakenly set `tough-cookie` version, now `^2.3.3`
+      *(Thanks to @evocateur for pointing this out.)*
+    - If you installed `request-promise-native@1.0.6` please make sure after the upgrade that `request` and `request-promise-native` use the same physical copy of `tough-cookie`.
+- v1.0.6 (2019-02-14)
+    - Using stricter `tough-cookie@~2.3.3` to avoid installing `tough-cookie@3` which introduces breaking changes
+      *(Thanks to @jasonmit for pull request [#33](https://github.com/request/request-promise-native/pull/33/))*
+    - Security fix: bumped `lodash` to `^4.17.11`, see [vulnerabilty reports](https://snyk.io/vuln/search?q=lodash&type=npm)
 - v1.0.5 (2017-09-22)
     - Upgraded `tough-cookie` to a version without regex DoS vulnerability
       *(Thanks to @sophieklm for [pull request #13](https://github.com/request/request-promise-native/pull/13))*

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "request-promise-native",
-  "version": "1.0.5",
+  "version": "1.0.9",
   "description": "The simplified HTTP request client 'request' with Promise support. Powered by native ES6 promises.",
   "keywords": [
     "xhr",
@@ -33,9 +33,9 @@
     "node": ">=0.12.0"
   },
   "dependencies": {
-    "request-promise-core": "1.1.1",
-    "stealthy-require": "^1.1.0",
-    "tough-cookie": ">=2.3.3"
+    "request-promise-core": "1.1.4",
+    "stealthy-require": "^1.1.1",
+    "tough-cookie": "^2.3.3"
   },
   "peerDependencies": {
     "request": "^2.34"

diff --git a/test/spec/request-test.js b/test/spec/request-test.js
@@ -146,7 +146,7 @@ describe('Request-Promise-Native', function () {
         var cookiejar = rp.jar();
 
         expect(function () {
-            cookiejar.setCookie(sessionCookie, 'https://api.mydomain.com');
+            cookiejar.setCookie(sessionCookie.toString(), 'https://api.mydomain.com');
         }).to.not.throw();
 
     });