chore/SYNC-263/replace vulnerable request package with axios and add mock tests

[shannamurry]

Replace request with axios and add comprehensive test mocking

Overview

This PR modernizes the lob-node SDK's HTTP client and test infrastructure to improve security, reliability, and developer experience.

Changes

1. Replaced request with axios

The request library has been deprecated and contains a critical security vulnerability. This PR migrates all HTTP requests to axios, a modern, actively maintained HTTP client.

2. Created mock test suite for local development

Previously, running the test suite required valid Lob API keys, which created barriers for:

• Contributors forking the repo
• Local development and testing
• CI/CD in forked repositories

The new mock suite using nock intercepts all HTTP requests, allowing the full unit test suite (94 tests) to run without any API keys. This means:

• npm test works out of the box with no configuration
• Fork contributors can verify their changes pass tests
• Faster test execution (no network latency)

3. Added integration test suite

A separate integration test suite runs against the real Lob API to verify actual behavior:

• Runs on push and PR via GitHub Actions
• Uses TEST_API_KEY for most endpoints
• Uses LIVE_API_KEY for endpoints that require it (bulk verifications, campaigns, zip lookups)
• Tests gracefully skip if live key is not configured

4. Fixed SDK issue with bulk verification endpoints

Discovered and fixed a bug where bulk verification endpoints (/bulk/us_verifications, /bulk/intl_verifications) were failing because the SDK sent form-encoded data instead of JSON. The API requires JSON for requests containing nested objects. The SDK now automatically detects arrays of objects and sends JSON with the appropriate Content-Type header.

[gemini-code-assist]

Summary of Changes

Hello @shannamurry, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses critical technical debt and security concerns by replacing the outdated and vulnerable request library with the modern and actively maintained axios package. The changes involve a comprehensive refactoring of the HTTP request mechanism, ensuring continued functionality while improving the overall security posture and maintainability of the codebase.

Highlights

• Dependency Migration: The request package, which was identified as having security vulnerabilities and being deprecated, has been replaced with axios and form-data for making HTTP requests.
• Request Handling Refactor: The internal request logic in resourceBase.js has been significantly refactored to adapt to the axios API, including changes to authentication, agent configuration, query parameters, and multipart/urlencoded form data processing.
• Error Handling Consistency: Error handling has been updated to ensure consistent response processing and error object structure, including mapping axios responses to the previous request response format for compatibility.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request replaces the deprecated request package with axios to resolve a security vulnerability. While this is a positive security improvement, a high-severity path traversal vulnerability was identified where the _transmit function in resourceBase.js does not sanitize the uri parameter, potentially allowing access to unintended API endpoints. Additionally, critical issues exist with the specified versions for axios and form-data in package.json and package-lock.json, which will cause dependency installation to fail. Suggestions for improving error handling and object iteration logic have also been provided.