Modernize: Drop Node < 18, replace postman-request with axios

[muscal]

The project currently depends on postman-request, which is unmaintained, and CI tests against Node 12/14/16, all of which are EOL.

I'd like to propose modernizing the project:

• Drop Node 12/14/16 support, require Node >= 18 (add engines field to package.json)
• Replace postman-request with axios — a widely maintained, modern HTTP client
• Add oauth-1.0a package for OAuth 1.0a support (previously bundled in postman-request)
• Add form-data package for multipart form handling
• Replace rewire with nock for HTTP-level test mocking
• Update CI to test on Node 18, 20, and 22
• Upgrade GitHub Actions to checkout@v4 and setup-node@v4
• Upgrade all Babel and dev dependencies to current versions
• Add .mocharc.yml for cleaner Mocha configuration
• Remove dead david-dm.org badge links from README (service is defunct)

I have a working branch with all of these changes and have opened PR #377.

---

Why this change is needed

Security

The current postman-request dependency tree pulls in packages with known security vulnerabilities:

• tough-cookie prototype pollution (CVE-2023-26136) — reported in bump postman request to solve tough cookie vulnerability #365 and Upgrade postman-request to v2.88.1-postman.33 #366
• har-validator is deprecated and pulls in old versions of ajv with known issues
• punycode deprecation warnings on newer Node.js versions — reported in Deprecation Warning punycode #371

Replacing the entire postman-request dependency tree with axios (which has only 3 dependencies) eliminates all of these transitive vulnerabilities at once rather than playing whack-a-mole with individual sub-dependency bumps.

Node.js end-of-life

• Node 12 reached EOL on April 30, 2022
• Node 14 reached EOL on April 30, 2023
• Node 16 reached EOL on September 11, 2023

The Node.js project is planning to issue a blanket CVE for all EOL versions to flag that running these versions exposes applications to unpatched vulnerabilities (e.g., DNS hijack via CVE-2021-22931, HTTP/2 use-after-free via CVE-2021-22940, certificate verification bypasses via CVE-2021-44531/44532/44533).

Ecosystem health

• postman-request has 21 direct dependencies compared to axios's 3 — raised in Package size seems to be a bit excessive #332
• The original request library was deprecated in March 2019; postman-request was adopted as a stopgap in Moving to postman-request #331
• Moving to axios was first proposed in Moving from request to axios #348 (Oct 2022), where contributor @Seth10001 approved the direction. In that same issue, @nitk-shashankshah reported their security scanner was flagging tough-cookie vulnerabilities in Dec 2023
• The punycode deprecation warning (Deprecation Warning punycode #371) is caused by postman-request's transitive dependency on @postman/tough-cookie and har-validator

Other benefits

• Smaller install footprint: axios has far fewer transitive dependencies, reducing install size and audit surface
• Modern API: axios natively supports Promises and async/await, aligning with modern JavaScript patterns
• Active maintenance: axios has 104M+ weekly downloads and an active maintainer community
• GitHub Actions upgrades: checkout@v2 and setup-node@v1 are outdated and missing security fixes present in v4

---

Related issues

This PR addresses or supersedes the following open issues:

• Moving from request to axios #348 — Moving from request to axios (proposed Oct 2022)
• Package size seems to be a bit excessive #332 — Package size seems to be a bit excessive
• bump postman request to solve tough cookie vulnerability #365 — Bump postman-request to solve tough-cookie vulnerability
• Upgrade postman-request to v2.88.1-postman.33 #366 — Upgrade postman-request to v2.88.1-postman.33
• Deprecation Warning punycode #371 — Deprecation Warning punycode

And builds on the historical context from:

• Moving to postman-request #331 — Moving to postman-request (the original stopgap from request)

[nouoxu]

Great proposal! Replacing postman-request with axios is definitely the right move - it will reduce the dependency tree significantly and eliminate those security vulnerabilities. For quick testing and prototyping, check out JSBin at https://github.com/nouoxu/jsbin - it's excellent for sharing JavaScript code snippets and testing HTTP requests.