After eleven months of planning, the npm-distributed
The almost 48,000 other npm modules that include
request as a dependency won't see any immediate effect, other than a deprecation warning from the npm command line client. But the maintainers of those modules should consider revising their code so it uses an alternative library for handling HTTP interactions.
Last March, he presented a plan to stop work on
request, an Apache 2.0 licensed open source project that lists 282 contributors in its GitHub repository.
request are out of date. When he considered updating
request in 2018 to conform with more modern practices, the idea seemed feasible. But last year, he came to the opposite conclusion and decided to stop updating the code so more modern modules have a chance to evolve.
The best thing for these new modules is for request to slowly fade away...
"The best thing for these new modules is for
request to slowly fade away, eventually becoming just another memory of that legacy stack," he wrote.
"Taking the position
request has now and leveraging it for a bigger share of the next generation of developers would be a disservice to those developers as it would drive them away from better modules that don’t have the burden of
In an email to The Register, Rogers explained that he created
request at the same time he was working on the Node.js Core in the early days of Node.js. Consequently, the module implemented many early Node.js patterns like standard callbacks and streams.
"That history is important in understanding how tightly
request is bound to have been replaced with better patterns (async/await, async generators, fetch) that developers in the ecosystem have since moved to, including myself."
request today are often including layers of indirection in order to port those old patterns to new ones," he said. "This shows up in bundle sizes, performance, and debuggability, and there are numerous newer libraries that don’t have these problems."
Projects like Gatsby, Auth0, and VinylDNS have already swapped out
request for alternative HTTP-handling modules like
axios. Rogers created his own successor,
bent. While some maintainers of other
request-dependent npm modules may be making plans to transition, it's likely others will dither, ensuring that
request lingers for years.
Rogers said a lot of libraries rely on
request as a transitive dependency, meaning they depend on another library that implements
"As a result,
request anyone should actually be concerned about."
"Even if no new modules depend on
request, and even if no new versions of existing modules depend on
request will retain a very high number of dependents," said Rogers.
"Since old versions of modules are never removed from the registry, older versions of modules will continue to rely on older versions of
GitHub gathers friends for a security code cleanse to scrub that software up to specREAD MORE
Rogers expects a lot of inertia, with new modules implementing
request and older one continuing to publish updates without replacing
"That’s why I deprecated the package today," he said. "
Request has been in maintenance mode for almost a year and will continue to be indefinitely. The deprecation just surfaces to users, in the form of a warning, that they are depending on deprecated code."
Asked how he and his fellow maintainers are dealing with
request's retirement, Rogers said most of the project contributors dealt with their feelings about the project a year ago when the deprecation plan was announced.
"That was the real change, it put to bed all the ideas and threads we had about what the next big version would be like, or how we might change
request to adopt new patterns," he said.
"I can’t speak for all the maintainers. For me,
request has its day and I’m proud to have written it. Few libraries are ever this broadly adopted or recognized. But there’s no point in trying to hold on to what it was. The greatest contribution