Updated request to avoid security vulnerability in dep

[rankida]

Hi,

Older versions of hoek have a security vulnerability https://snyk.io/vuln/npm:hoek:20180212 and this is pulled in by old versions of request.

This PR simply bumps request to to 2.87.0 (from 2.81.0) to avoid this issue.

Please let me know if I have done anything wrong with this PR.

Thanks!

[zkat]

We are intentionally not upgrading request to 2.87.0 until node-gyp gets around to unpinning that package. We can't really do much about it being in our tree, and having the toplevel request be a different version than what node-gyp uses is significantly increasing the package size for our distributed tarball.

As far as we're concerned, the issues with hoek do not pose a risk to npm itself, which is why we decided to let the audit be a little noisy for now.

You wanna try and convince the node-gyp folks to fix that bit? :)

[zkat]

I'm gonna actually close this, and there's also a more thorough answer on the discussion board: https://npm.community/t/npm-i-npm-6-2-0-latest-shows-security-noise/709/3

tl;dr you're safe. Like, for sure.

[rankida]

Thanks for taking the time to reply.

Cheers!