Request-promise fork depends on (original, deprecated) request-promise-core package

[thw0rted]

It looks like issue submission is not enabled for https://github.com/cypress-io/request-promise so I'm submitting the issue here. Hope that's OK.

I noticed that your forked package still depends on request-promise-core, which introduces (among other things) a transitive dep on the vulnerable request package. Looking at the code in @cypress/request-promise, though, the only code actually used from request-promise-core is this one function; other than lodash, none of the transitive dependencies are actually used.

Would it be permissible to copy the single file (request2.js) from the deprecated codebase into your forked request-promise, and remove the dep on request-promise-core? This would reduce the installed footprint significantly.