Skip to content

Replace request With Native HTTP Stream Download in Fetch Providers #655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yashkohli88 wants to merge 29 commits into
base: master
Choose a base branch
from
Open

Replace request With Native HTTP Stream Download in Fetch Providers #655

yashkohli88 wants to merge 29 commits into from

Conversation

@yashkohli88
Copy link
Contributor

@yashkohli88 yashkohli88 commented Nov 11, 2025

Overview

This PR removes the deprecated request package and replaces its usage for downloading packages across all supported ecosystems with a new getStream function.
It also updates dependencies and modernizes related testing and fetch logic.

Key Changes

  • New getStream function in lib/fetch.js exported to provide streaming downloads using axios.
  • Replaced all usage of request in package fetchers across:
    • Conda
    • Debian
    • Go
    • Maven
    • NPM
    • Composer
    • PyPI
    • RubyGems
  • Removed the deprecated request dependency from package.json.
  • Updated axios to version 1.11.0.
  • Updated tests and mocks to match new streaming approach, including proxyquire stubs.
  • Addressed formatting issues and cleaned up code.

Motivation

  • The request package is deprecated and no longer maintained.
  • Modern HTTP libraries like axios offer better security, support, and community engagement.
  • Uniform download logic across all ecosystem fetchers simplifies maintenance and enables enhancements.

Testing

  • Updated and added unit tests for getStream and affected providers.
  • Tests cover both direct URL and options object, as well as default headers and error handling.
  • Updated all test and mock code to use Promise-based streaming stubs for fetchers.

Closes: #573

jamesiri and others added 27 commits December 9, 2025 15:32
@jamesiri @yashkohli88
Upgrading scancode to v32.4.1 and adding dev notes
b2fdef5
@jamesiri @yashkohli88
adding globals since it is blocking builds
01445ec
@dependabot @yashkohli88
Bump cross-spawn from 6.0.5 to 6.0.6
fe59620 
Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 6.0.5 to 6.0.6.
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/v6.0.6/CHANGELOG.md)
- [Commits](moxystudio/node-cross-spawn@v6.0.5...v6.0.6)

---
updated-dependencies:
- dependency-name: cross-spawn
  dependency-version: 6.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @yashkohli88
Bump sha.js from 2.4.11 to 2.4.12
89d0481 
Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11 to 2.4.12.
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](browserify/sha.js@v2.4.11...v2.4.12)

---
updated-dependencies:
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @yashkohli88
Bump on-headers and morgan
d823304 
Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependency [morgan](https://github.com/expressjs/morgan). These dependencies need to be updated together.


Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](jshttp/on-headers@v1.0.2...v1.1.0)

Updates `morgan` from 1.9.1 to 1.10.1
- [Release notes](https://github.com/expressjs/morgan/releases)
- [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md)
- [Commits](expressjs/morgan@1.9.1...1.10.1)

---
updated-dependencies:
- dependency-name: on-headers
  dependency-version: 1.1.0
  dependency-type: indirect
- dependency-name: morgan
  dependency-version: 1.10.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @yashkohli88
Bump path-to-regexp and express
159d27a 
Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 1.9.0 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `path-to-regexp` from 1.8.0 to 1.9.0
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v1.8.0...v1.9.0)

Updates `express` from 4.19.2 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](expressjs/express@4.19.2...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-version: 1.9.0
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.21.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@yashkohli88
Added getStream to replace Request dependnecy for downloading packages
135169a
@yashkohli88
Replaced request dependency for downloading conda packages
57d4a02
@yashkohli88
Replaced request dependency for downloading debian packages
c9dc449
@yashkohli88
Replaced request dependency for downloading go packages
4e9711b
@yashkohli88
Replaced request dependency for downloading maven packages
03b20f9
@yashkohli88
Replaced request dependency for downloading npm packages
391d8e4
@yashkohli88
Replaced request dependency for downloading composer packages
9c8bad9
@yashkohli88
Replaced request dependency for downloading pypi packages
811d657
@yashkohli88
Replaced request dependency for downloading ruby packages
710c654
@yashkohli88
Fixed formatting
d7911f4
@yashkohli88
Remove deprecated dependency request
918af7f
@yashkohli88
Updated axios dependency to latest version 1.11.0
2c89252
@yashkohli88
Fix formatting
af44561
@yashkohli88
Replaced request dependency for downloading conda packages
ca40788
@yashkohli88
Replaced request dependency for downloading conda packages
dfc01da
@yashkohli88
Fix formatting
0133bf3
@yashkohli88
Updated requestretry with axios-retry
363bfa7
@yashkohli88
Revert "Updated requestretry with axios-retry"
20049d8 
This reverts commit e66e2b5.
@yashkohli88
Merge branch 'master' into yk/update-dep-request
bbd82d6
@yashkohli88
Refactored Changes
4b14bc9
@yashkohli88
Updated package.json
8d5c962
@yashkohli88 yashkohli88 force-pushed the yk/update-dep-request branch 2 times, most recently from 975855c to 8d5c962 Compare December 9, 2025 16:53
@yashkohli88 yashkohli88 marked this pull request as ready for review December 10, 2025 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yashkohli88 @jamesiri