Skip to content

deps: update http-errors from 1.6.x to 2.0.x#38

Open
mahmoodhamdi wants to merge 1 commit intopillarjs:masterfrom
mahmoodhamdi:deps/update-http-errors
Open

deps: update http-errors from 1.6.x to 2.0.x#38
mahmoodhamdi wants to merge 1 commit intopillarjs:masterfrom
mahmoodhamdi:deps/update-http-errors

Conversation

@mahmoodhamdi
Copy link
Copy Markdown

@mahmoodhamdi mahmoodhamdi commented Mar 29, 2026

Summary

Updates http-errors dependency from ~1.6.3 to ~2.0.0.

Why

The old http-errors@1.6.x depends on depd@1.1.2, which uses eval() internally. This triggers security warnings in bundlers (Rollup, Webpack) and environments with strict Content Security Policies.

http-errors@2.0.0 depends on depd@2.0.0, which removed the eval() usage.

Testing

All 23 existing tests pass with the updated dependency. The http-errors v2 API is backwards compatible for the usage in this package (createError(statusCode) and createError(statusCode, message)).

Fixes #6

@mahmoodhamdi
deps: update http-errors from 1.6.x to 2.0.x
cbbe83e 
Update http-errors dependency from ~1.6.3 to ~2.0.0. The old version
pulled in depd@1.1.2 which uses eval() internally, causing security
warnings in bundlers and strict CSP environments. http-errors@2.0.0
depends on depd@2.0.0 which does not use eval().

All existing tests pass with the updated dependency.

Fixes pillarjs#6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update http-errors to update depd to remove eval()

1 participant

@mahmoodhamdi