The request package used by Node 4.3.0 is depreciated

[aakashbhatiaaccenture]

SDK you're using (please complete the following information):

• Version [e.g. 4.37.0]

Describe the bug
xero-node >=4.0.0-alpha.1 depends on vulnerable versions of request. The request package itself is depreciated.

To Reproduce
Steps to reproduce the behavior:

1. Install xero-node >= 4.0.0 using npm
2. Run 'npm audit'
3. See the vulnerability listed

Expected behavior
It should not make use of the depreciated package. Instead it could one the following listed packages: request/request#3143

[github-actions]

PETOSS-381

[github-actions]

Thanks for raising an issue, a ticket has been created to track your request

[AndrewLugg]

They have known about this for over a year, and not seeming to care. I feel this package is unmaintained. They are updating the xero api endpoints, but not maintaining any security updates.

[manishT72]

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

[aakashbhatiaaccenture]

Apologies for the delay. We have removed direct dependencies on request module in version 5.0.0. We will soon remove it from other nested package dependencies.

Thanks very much, really appreciate it

[sangeet-joy-tw]

this issue is fixed in latest version of xero-node.