Skip to content

fix: remove deprecated request package to fix critical form-data vulnerability #9531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
BekahHW wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: remove deprecated request package to fix critical form-data vulnerability #9531

BekahHW wants to merge 1 commit into from
+76 −864

Conversation

@BekahHW
Copy link
Collaborator

@BekahHW BekahHW commented Jan 14, 2026
edited by cubic-dev-ai bot
Loading

Summary

This PR removes the deprecated request package from the codebase to fix a Critical Severity security vulnerability.

Vulnerability Details

The request package (which is deprecated and no longer maintained) was listed as a direct dependency in both core/package.json and extensions/vscode/package.json. This package brought in a transitive dependency on form-data@2.3.3 which has a Critical Severity vulnerability:

Investigation Findings

After scanning the codebase, I found that the request package was:

  • Never imported anywhere in the source code (grep for import.*from.*'request' and require('request') returned no results)
  • Listed only in package.json files as a direct dependency
  • Essentially an unused leftover dependency

Changes Made

  • Removed request from core/package.json
  • Removed @types/request from core/package.json (devDependencies)
  • Removed request from extensions/vscode/package.json
  • Removed @types/request from extensions/vscode/package.json (devDependencies)
  • Updated corresponding package-lock.json files

Verification

After the fix, running npx snyk test confirms that the critical form-data vulnerability has been eliminated from both the core and extensions/vscode packages.

Continue Tasks

Status Task Actions
▶️ Queued changelog View
▶️ Queued test coverage View
▶️ Queued Review Agent View
▶️ Queued test View

Powered by Continue

Summary by cubic

Removed the deprecated request dependency (and types) to eliminate a critical form-data vulnerability. It was unused and only inflated the dependency tree.

  • Dependencies

    • Removed request from core and extensions/vscode
    • Removed @types/request from devDependencies
    • Updated package-lock.json files

  • Bug Fixes

    • Eliminates Critical form-data@2.3.3 issue (SNYK-JS-FORMDATA-10841150); verified with npx snyk test

Written for commit acab841. Summary will update on new commits.

@BekahHW
fix: remove deprecated request package to fix critical form-data vuln…
acab841 
…erability

The deprecated `request` package was listed as a direct dependency in both
`core/package.json` and `extensions/vscode/package.json`, but was never
actually imported or used anywhere in the codebase. This package brought in
a transitive dependency on `form-data@2.3.3` which has a Critical Severity
vulnerability (SNYK-JS-FORMDATA-10841150: Predictable Value Range from
Previous Values).

By removing the unused `request` package and its `@types/request` type
definitions, we eliminate this critical security vulnerability.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
@BekahHW BekahHW requested a review from a team as a code owner January 14, 2026 18:24
@BekahHW BekahHW requested review from Patrick-Erichsen and removed request for a team January 14, 2026 18:24
@continue
Copy link
Contributor

continue bot commented Jan 14, 2026

All Green - Keep your PRs mergeable

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

Unsubscribe from All Green comments

3 similar comments
@continue-staging
Copy link

continue-staging bot commented Jan 14, 2026

All Green - Keep your PRs mergeable

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

Unsubscribe from All Green comments

@continue-development-app
Copy link

continue-development-app bot commented Jan 14, 2026

All Green - Keep your PRs mergeable

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

Unsubscribe from All Green comments

@continue-development-app
Copy link

continue-development-app bot commented Jan 14, 2026

All Green - Keep your PRs mergeable

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

Unsubscribe from All Green comments

@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jan 14, 2026
@github-actions
Copy link

github-actions bot commented Jan 14, 2026
edited
Loading

✅ Review Complete

Code Review Summary

⚠️ Continue API authentication failed. Please check your CONTINUE_API_KEY.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

@RomneyDa RomneyDa marked this pull request as draft January 22, 2026 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

continue-agent size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BekahHW