NBD: A popular HTTP-fetching npm code library used by 48,000 other modules retires, no more updates coming

Downloaded 17m times a week, now coders should consider an alternative

Cowboy silhouette on a horse during sunset

After eleven months of planning, the npm-distributed request module has been deprecated, meaning the popular JavaScript code library for making HTTP requests is no longer supported and won't receive further updates.

The almost 48,000 other npm modules that include request as a dependency won't see any immediate effect, other than a deprecation warning from the npm command line client. But the maintainers of those modules should consider revising their code so it uses an alternative library for handling HTTP interactions.

Request, now at version 2.88.2 and still downloaded almost 17m times a week, was created in 2009 by Mikeal Rogers, who presently handles community operations at open source biz Protocol Labs.

Last March, he presented a plan to stop work on request, an Apache 2.0 licensed open source project that lists 282 contributors in its GitHub repository.

Despite the module's popularity, Rogers said that the JavaScript ecosystem has been changing rapidly and the code patterns at the heart of request are out of date. When he considered updating request in 2018 to conform with more modern practices, the idea seemed feasible. But last year, he came to the opposite conclusion and decided to stop updating the code so more modern modules have a chance to evolve.

The best thing for these new modules is for request to slowly fade away...

"The best thing for these new modules is for request to slowly fade away, eventually becoming just another memory of that legacy stack," he wrote.

"Taking the position request has now and leveraging it for a bigger share of the next generation of developers would be a disservice to those developers as it would drive them away from better modules that don’t have the burden of request's history."

In an email to The Register, Rogers explained that he created request at the same time he was working on the Node.js Core in the early days of Node.js. Consequently, the module implemented many early Node.js patterns like standard callbacks and streams.

"That history is important in understanding how tightly request is bound to those old patterns," said Rogers. "JavaScript and Node.js have evolved a lot since then and all of the patterns request is bound to have been replaced with better patterns (async/await, async generators, fetch) that developers in the ecosystem have since moved to, including myself."

"Developers using request today are often including layers of indirection in order to port those old patterns to new ones," he said. "This shows up in bundle sizes, performance, and debuggability, and there are numerous newer libraries that don’t have these problems."

Projects like Gatsby, Auth0, and VinylDNS have already swapped out request for alternative HTTP-handling modules like got and axios. Rogers created his own successor, bent. While some maintainers of other request-dependent npm modules may be making plans to transition, it's likely others will dither, ensuring that request lingers for years.

Rogers said a lot of libraries rely on request as a transitive dependency, meaning they depend on another library that implements request.

"As a result, request shows up in the package tree of almost all popular libraries and frameworks, but it’s unclear to me how much the code is actually used," he said. "The JavaScript ecosystem is simply too large, and the dependency graphs too interdependent, for anyone to get an accurate picture of how much of the remaining dependence on request anyone should actually be concerned about."

"Even if no new modules depend on request, and even if no new versions of existing modules depend on request, request will retain a very high number of dependents," said Rogers.

"Since old versions of modules are never removed from the registry, older versions of modules will continue to rely on older versions of request."

GitHub logo on phone

GitHub gathers friends for a security code cleanse to scrub that software up to spec

READ MORE

Rogers expects a lot of inertia, with new modules implementing request and older one continuing to publish updates without replacing request.

"That’s why I deprecated the package today," he said. "Request has been in maintenance mode for almost a year and will continue to be indefinitely. The deprecation just surfaces to users, in the form of a warning, that they are depending on deprecated code."

Asked how he and his fellow maintainers are dealing with request's retirement, Rogers said most of the project contributors dealt with their feelings about the project a year ago when the deprecation plan was announced.

"That was the real change, it put to bed all the ideas and threads we had about what the next big version would be like, or how we might change request to adopt new patterns," he said.

"I can’t speak for all the maintainers. For me, request has its day and I’m proud to have written it. Few libraries are ever this broadly adopted or recognized. But there’s no point in trying to hold on to what it was. The greatest contribution request could make to JavaScript now is to make room for all the new and better libraries people have built, which the deprecation should do." ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020