Vulnerability in request/request package that uses old request/tunnel-agent package

[izy-izzy]

According to multiple sources the package: request/tunnel-agent has in its version 0.4.3 has this security issue:

tunnel-agent is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number is used to set the proxy.auth option of a request/request and results in possible uninitialized memory exposure in the request body.

This is a result of the unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

This old dependency is introduced via requesting a package request/request (https://github.com/request/request) of version 2.79.0.
The latest version of request/request is at the version 2.85.1 that requires the tunnel-agent (https://github.com/request/tunnel-agent) of version 0.6.0 that does not has the vulnerability issue.

Would it be possible to use the new version of the request/request version 2.85.1? If so should I create the PR or is this handled by a development team?

There are no breaking changes between 2.79.0 and 2.85.1 so there should not be any problems with it.

Thank you.