Dependency `request` is missing and vulnerable

[SNThrailkill]

Environment details

• OS: MacOS 14.4.1
• Node.js version: 20.11.1
• npm version: 10.2.4
• gax-nodejs version: 4.3.1

Steps to reproduce

1. Add @google-cloud/pubsub as a dependency to any project
2. Run npm install
3. Run npm run build or equivalent

Error

⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '/app/node_modules/google-gax/build/src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-cloud/pubsub/build/src/index.js
./src/app/my/code/pubsub.ts

Workaround
Add request as a dependency of the project by running npm install request --save

Additional Issue
On top of being missing from this package, the request package has been deprecated for 4 years and is vulnerable due to its reliance on the tough-cookie package that has well known vulnerabilities (Link 1, Link 2, Link 3).

[TrygveDev]

Same issue here when adding the @google-analytics/data as a dependency.

Environment details

• OS: Windows 11
• Node: 20.11.1
• npm: 10.4.0
• google-gax: 4.3.2

Error

 ⚠ ./node_modules/google-gax/build/src/streamingRetryRequest.js
Module not found: Can't resolve 'request' in '-\node_modules\google-gax\build\src'

Import trace for requested module:
./node_modules/google-gax/build/src/streamingRetryRequest.js
./node_modules/google-gax/build/src/streamingCalls/streaming.js
./node_modules/google-gax/build/src/index.js
./node_modules/@google-analytics/data/build/src/v1alpha/alpha_analytics_data_client.js
./node_modules/@google-analytics/data/build/src/v1alpha/index.js
./node_modules/@google-analytics/data/build/src/index.js
./-

[SNThrailkill]

Hey @alexander-fenster can you add a security tag to this issue?

[nicole0707]

Given that there is an existing dependency node-fetch https://github.com/googleapis/gax-nodejs/blob/main/gax/package.json#L19, could we just swap request to node-fetch?

[nicole0707]

If the intent is that a request library must be provided to retry-request, would it be sufficient to throw an error here instead of requiring a module that is not a dependency?

[wvanderdeijl]

I have submitted PR googleapis/gax-nodejs#1590 to use teeny-request instead of request. The retry-request module that needs one of these dependencies also advices to use teeny-request instead of request and already has its own dependency on retry-request, so retry-request is already a (transitive) dependency of google-gax

[ThulinaWickramasinghe]

I've faced a similar issue. I'm working on a Next.js project using Next 14 app router. I also came across this.

https://www.reddit.com/r/react/comments/tqv6gv/facing_breaking_change_webpack_5_used_to_include/