Deprecated 'request' npm Package Exposes Projects to SSRF via CVE-2023-28155, No Fix Available

A critical dependency alert reveals that the widely used but deprecated `request` npm library contains an unfixed Server-Side Request Forgery (SSRF) vulnerability, CVE-2023-28155. The flaw, rated medium severity, allows attackers to exploit the library's handling of cross-protocol redirects—such as from HTTP to `file://` or `gopher://`—to force a server to make unauthorized internal requests. This poses a direct risk to any application that passes user-supplied URLs to the `request()` function, potentially exposing internal network services and data.

The vulnerability affects all versions of the `request` package up to and including the final release, `2.88.2`. The package was officially deprecated in 2020 and has received no security updates since. A recent GitHub issue highlights that a standard dependency update cannot resolve the problem; reinstalling the package only refreshes the lockfile to document the alert. There is no patched version available on the npm registry, leaving projects that still rely on this legacy library in a precarious state.

The only true remediation path is a full migration to a modern, actively maintained alternative. This situation underscores the persistent security debt in software ecosystems, where abandoned but deeply embedded dependencies become permanent attack vectors. Development teams must now audit their projects for `request` usage and prioritize its replacement, as the absence of an upstream fix shifts the entire burden of risk mitigation onto downstream maintainers.