[v13.0.0 Blocker] Refactor functions:shell to not use request

[sadhon]

I am trying to run "npm install -g firebase-tools" command on linux OS but it gives me the above error every time.On the other hand when I try to run "npx create-react-app app-name" command, it works fine. I searched the solution on the internet but did not find any acceptable solution. Is there any way to fix this problem.

[samtstern]

@sadhon thanks for reporting this! The request module is one of the most popular libraries in the whole ecosystem so the deprecation has hit almost everyone, including us.

@bkendall is already working on removing request from firebase-tools.

Right now you do not need to worry about this, it's not a security vulnerability and we expect it to be fixed in a future version.

[bogacg]

Today [email protected] installation is aborted due to this issue.

[samtstern]

@bogacg can you show logs from an aborted install?

[bogacg]

@samtstern I re-executed global install command and sorry, that one is a WARN, problem is @sindresorhus%2fis

npm -g install [email protected]
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.2 (node_modules\firebase-tools\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@sindresorhus%2fis - Not found
npm ERR! 404
npm ERR! 404  '@sindresorhus/is@^0.14.0' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'got'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:

You need full log?

[samtstern]

That's a global ongoing npm issue today, please see:
https://status.npmjs.org/incidents/cksjqc1w11v5

[AkhileshHN]

The issue is still not resolved
I'm tried almost 100 times still same error unable to install firebase-tools

[bkendall]

You may need to run npm cache clean to clear out any bad URLs you an into during the outage (untested, but that would be what I would do)

[bogacg]

As of npm@5, 
the npm cache self-heals from corruption issues and data extracted from the cache is guaranteed to be valid.
If you want to make sure everything is consistent, use 'npm cache verify' instead.

...after npm cache verify I was able to install 👍

[67joseph]

Yes thanks bogacg npm cache verify worked well

[manojmadhu]

Yes, its worked after npm cache verify . Thank you very much.

[moodstudioseva]

npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: request has been deprecated, see request/request#3142
I got this output after typing the command "npm install --global surge".
I tried "npm cache verify" like some of you did, but for me it doesn't solve the problem I again get these outputs.
Can someone help me?

[poojabhargava30]

npm WARN deprecated [email protected]: request has been deprecated, see request/request#3142
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: cross-spawn no longer requires a build toolchain, use it instead
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
/home/ubuntu/npm/bin/yo -> /home/ubuntu/npm/lib/node_modules/yo/lib/cli.js
/home/ubuntu/npm/bin/yo-complete -> /home/ubuntu/npm/lib/node_modules/yo/lib/completion/index.js

[email protected] postinstall /home/ubuntu/npm/lib/node_modules/yo
yodoctor

Yeoman Doctor
Running sanity checks on your system

✔ No .bowerrc file in home directory
✔ Global configuration file is valid
✖ NODE_PATH matches the npm root

Unable to find the npm root, something went wrong.
Try to execute npm -g root --silent on your command-line

✔ No .yo-rc.json file in home directory
✔ Node.js version
{ Error: Couldn't find the 'yo' binary. Make sure it's installed and in your $PATH
at Process.ChildProcess._handle.onexit (internal/child_process.js:240:19)
at onErrorNT (internal/child_process.js:415:16)
at process._tickCallback (internal/process/next_tick.js:63:19)
errno: 'ENOENT',
code: 'ENOENT',
syscall: 'spawn yo',
path: 'yo',
spawnargs: [ '--version' ],
cmd: 'yo --version' }
✖ yo version
{ Error: Couldn't find the 'yo' binary. Make sure it's installed and in your $PATH
at Process.ChildProcess._handle.onexit (internal/child_process.js:240:19)
at onErrorNT (internal/child_process.js:415:16)
at process._tickCallback (internal/process/next_tick.js:63:19)
errno: 'ENOENT',
code: 'ENOENT',
syscall: 'spawn yo',
path: 'yo',
spawnargs: [ '--version' ],
cmd: 'yo --version' }
✔ npm version

Found potential issues on your machine :(

• [email protected]
  updated 1 package in 18.362s

### please help me with this error

[satyaprasad317]

Any one have resolution for this.

[ghost]

try to install npm new version i try with that and work!! command: npm install -g npm

[akauppi]

@samtstern Any news about this?

To help you, jsdom (used in JEST) has gone through a similar re-engineering, and landed on node-fetch. Their solution is coming up soon, leaving firebase-tools the only tool I use that still brings up this warning.

• Replace request with something better
• Replace request (as a direct dependency) with node-fetch

From a developer point of view, it's annoying that there will likely be great announcements on Google IO while an issue like this is still open. Also maintenance is important. 🧹

Current situation:

$ npm init
...

$ npm install -D firebase-tools
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

added 710 packages, and audited 711 packages in 19s

28 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

[akauppi]

Related: @firebase/rules-unit-testing has the same issue: firebase/firebase-js-sdk#3009

[samtstern]

It's true that request is deprecated but that doesn't mean it's in any way dangerous! There is nothing related to request or its dependencies in our npm audit report. I have just sent out a PR to significantly clear up our npm audit report:
#3368

We have made a decision not to rush and try to remove request from the codebase all at once as that will almost certainly introduce bugs. Instead we are moving away piece-by-piece as we fix other things.

If anyone wants to pick a part of this codebase and remove request, PRs are welcome!

[akauppi]

I'm not very worried about it either - and it's reassuring just to know you're taking it away, alongside other work.

The audits are a bigger concern, and I'm glad to see the PR you mention.

[jimmywarting]

given that fetch is now built right in to nodejs deno and workers
i think that you should aim at using fetch instead, wether it comes from node-fetch undici or node itself...
using something like axios isn't good as it dose not work in workers and dose not support streaming.

[akauppi]

Voting for undici since the Node implementation is using it.

[bkendall]

request is going to be completely removed in the next breaking change.

[Brian-McBride]

It seems, while removing deprecated packages, uuid is an easy update as well as debug.
These warnings have been hanging around too long. They give SecOps teams heartburn.

❯ npm -g install [email protected]
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

[joehan]

Update on this:

This is on our radar, and we've stopped using this dependency almost everywhere in the codebase. However, the functions:shell command, which provides a REPL for testing out your functions, exposes request as part of its public API, so we cannot easily remove request without making a breaking change. Next time we release a major version, we plan to make this change & remove request - however, for now, hold tight and rest assured that this package is minimally used in firebase-tools

[ghost]

It's been nearly 3 years since this issue was posted, when will the dependencies be removed...?

[brianwestphal]

There's now a moderate security issue on the deprecated request package, which I assume will never be fixed. Is there a timeline for removing the last remaining request package usage?

[gr8kev]

I have the same issue .
What is the solution please

[bkendall]

request is only used in functions:shell any more. Changing the interface there is non-trivial, since it exposed request's interface. But, nowhere else in the code do we use request. We're aware of the warning and are trying to prioritize fixing functions:shell, but don't have an ETA to share yet.

[KuSh]

request is affected by 2 vulnerabilities :

• moderate Server-Side Request Forgery, more info: https://www.npmjs.com/advisories/1091725
• moderate tough-cookie Prototype Pollution vulnerability, more info: https://www.npmjs.com/advisories/1092448