Replace the request dev-dependency in project unit tests

5 minute read

Why are we making this change

In the Caracas release of API Builder, we released a new major version of the API Builder CLI. This version removes the dependency on request in new projects. While request is still fully functional, the library has been deprecated and has a CVE reported against one of it dependencies. Note that request itself does not make use of the vulnerable code, but security scans will still emit warnings.

We made a breaking change to the CLI, upgrading it to the latest version of the Axway CLI, v3.1.0, and requires the minimum Node.js (>= 12.17). In the new version of the CLI, new projects are now created which have a dependency of got instead of request. This dependency is used for making HTTP requests to API Builder to test your application’s APIs.

How does this impact my service

This update is optional. While there is no direct vulnerability to any production code, security scans on your project may report a CVE against request, as well as a warning that the module has been deprecated and has not been updated in over 2 years. While we can modify the implementation and dependencies of API Builder, we cannot change the direct dependencies of your project such as this during an upgrade, and updates such as this are the developer’s responsibility to update and modify as required.

While we chose got as a replacement for request in new projects, got is not a hard requirement. You can choose to write your tests in the way which works best for you, using any available library. The following section describes how to modify your project to use it.

Upgrade existing services

If your application does not use “npm test”

If you do no use the unit test framework included in your project (npm test), then you can safely clear the security warnings from your project by removing the dependency on request from your project by running the following command from your project directory:

npm uninstall request

If your application does not use “npm test” but you want to write unit tests

If you have not written any unit tests or changed any of the existing test, but would like to make use of npm test, then we recommend installing the latest version of the CLI and creating a new project, then copy the new /test directory from the new project into your existing project (existing-project), replacing the existing directory. Finally, then uninstall request and install got version 11.x (which the new tests use).

axway builder init new-project --no-install
cp -R new-project/test existing-project/test
cd existing-project
npm uninstall request
npm install got@11

Note

Note: This version of got requires at least Node.js 10.19. If you are developing your project on an older version of Node.js we strongly recommend upgrading to at least v16.

If your application uses “npm test”

If you are making use of the the unit test framework, then you will want to follow the following guidelines as your own changes to the test framework can be very different. You should read the got documentation to learn the full capabilities and API of the library.

Copy _base.js from a new project into your existing project (existing-project). It contains improvements to how the unit test framework is started / stopped.

axway builder init new-project --no-install
cp -R new-project/test/_base.js existing-project/test/_base.js

We would suggest that you get familiar with the changes to the new-project test framework before trying to apply changes in the following sections to your existing-project.

Use got instead

We deleted requestAsync, so if your test file has the following, replace it with got:

const { startApiBuilder, stopApiBuilder, requestAsync } = require('./_base');

Change it to:

const got = require('got');
const { startApiBuilder, stopApiBuilder } = require('./_base');

Then, somewhere in your test, for example, in the before script, you need to configure got with your URL and apiPrefix security credentials, for example:

  client = got.extend({
    prefixUrl: 'http://localhost:8080',
    username: apikey,
    password: '',
    headers: {
      apikey,
      authorization: `Basic ${Buffer.from(apikey + ':').toString('base64')}`
    },
    throwHttpErrors: false
  });

Later, in your test code, you can make use of the client, so if you see the old requestAsync:

return requestAsync({
  method: 'GET',
  uri: `http://localhost:${server.apibuilder.port}/api/testapi/${user.getPrimaryKey()}`,
  auth: auth,
  json: true
});

You can replace it with the got client:

const response = await client.get(`api/testapi/${user.getPrimaryKey()}`, {
  responseType: 'json'
});

Be aware that your unit tests need to use async:

it('[API-0002] should be able to hit testapi via http', async () => {

Server startup

The server startup with startApiBuilder has changed. It will await server startup, and then return a server instance of APIBuilder. So, if your test file has the following:

  before(() => {
    server = startApiBuilder();
    // etc...
  }

Change it to:

  before(async () => {
    server = await startApiBuilder();
    // stuff...
  }

There is no longer a server.started promise, so you no longer need this:

  return server.started.then(
    () => new Promise((resolve, reject) => {
      server.apibuilder.getModel('testuser').create(
        // etc...
      );
    });
  );

You can change to this:

  return new Promise((resolve, reject) => {
    server.getModel('testuser').create(
      // etc...
    );
  });

In the last example, you may have noticed that there is also no longer a server.apibuilder property, it is just server, so if you see this:

server.apibuilder.getModel('testuser')

You need to change to this:

server.getModel('testuser')

package.json

We also updated a number of dependencies that you may wish to update:

  "dependencies": {
-    "@axway/api-builder-runtime": "^4.69.0",
+    "@axway/api-builder-runtime": "^4.74.8",
-    "@axway/api-builder-plugin-invoke-flow": "^1.1.1",
+    "@axway/api-builder-plugin-invoke-flow": "^1.1.2",
-    "@axway/api-builder-plugin-fn-base64": "^4.0.2",
+    "@axway/api-builder-plugin-fn-base64": "^4.0.3",
-    "@axway/api-builder-plugin-fn-javascript": "^3.0.2",
+    "@axway/api-builder-plugin-fn-javascript": "^3.0.3",
-    "@axway/api-builder-plugin-fn-json": "^4.0.2",
+    "@axway/api-builder-plugin-fn-json": "^4.0.3",
-    "@axway/api-builder-plugin-fn-logger": "^1.0.1",
+    "@axway/api-builder-plugin-fn-logger": "^1.0.2",
-    "@axway/api-builder-plugin-fn-mustache": "^1.0.10",
+    "@axway/api-builder-plugin-fn-mustache": "^1.0.11",
-    "@axway/api-builder-plugin-fn-restclient": "^2.0.24",
+    "@axway/api-builder-plugin-fn-restclient": "^2.0.26",
-    "@axway/api-builder-plugin-fn-swagger": "^3.0.0"
+    "@axway/api-builder-plugin-fn-swagger": "^3.0.8"
  },
  "devDependencies": {
-    "@axway/api-builder-admin": "^1.44.13",
+    "@axway/api-builder-admin": "^1.48.3",
-    "chai": "^4.3.1",
+    "chai": "^4.3.4",
+    "got": "^11.8.3",
-    "mocha": "^6.1.4",
+    "mocha": "^9.1.2"
-    "request": "^2.88.0",
  },

Last modified September 9, 2022: V5 - Austen release (#102) (2414d7c)