If you have a tool that complains about a dependency's dev dependencies, do not trust that tool, since it's broken.

I'm happy to add an example using native http, but the example with request is valid and will remain. Also, using a deprecated package isn't a security issue, and things shouldn't be complaining about it.

Nevertheless, request is deprecated

Sure, and? It's a dev dependency, so consumers of this package should literally never care about it.

Please review this - for those of us that are using this package in enterprise applications it is triggering security alerts that we are getting audited on. There is no patched version of request that resolves this vulnerability. If you don't remove the package we will have to find an alternative to form-data which is going to cost us time and effort. https://security.snyk.io/package/npm/request/2.87.0

I understand that request has an unpatched vulnerability. It is not used in the production dependency graph of this package, however, so merging this PR will have no effect on the security of your application. Can you show me why snyk thinks request is coming into your application via form-data?

I actually had the dependency tree wrong on this - apologies. closing the pr.