Updating request module version

[pdehaan]

request@2.40.0 was released to fix a recent security issue w/ qs. See request/request#992 and https://blog.liftsecurity.io/2014/08/06/denial-of-service-in-qs

[pdehaan]

Steps to reproduce

$ git clone git@github.com:Medium/phantomjs.git .
$ npm i
$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

$ [sudo] npm i nsp -g
$ nsp shrinkwrap
Name  Installed  Patched  Vulnerable Dependency
qs      0.6.6     >= 1.x  phantomjs > request

[pdehaan]

Link to eslint/eslint#1149

[nicks]

just to verify, this is only a security issue if we pass untrusted urls to qs, right?

[pdehaan]

No clue, there was also https://nodesecurity.io/advisories/qs_dos_memory_exhaustion recently as well as https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking recently (which is why request was updated).

I was mainly filing it because our project's build task was failing the Travis build because of vulnerable modules in dependencies.

[nicks]

ya, looking at it, i don't think this is a real issue, but there's no harm in updating.

[nicks]

thanks for the patch