lob 7.0.1 → 8.1.0

package/README.md

@@ -3,12 +3,8 @@
 [downloads-image]: http://img.shields.io/npm/dm/lob.svg
 [npm-url]: https://npmjs.org/package/lob
 [npm-image]: https://badge.fury.io/js/lob.svg
-[travis-url]: https://travis-ci.org/lob/lob-node
-[travis-image]: https://travis-ci.org/lob/lob-node.svg?branch=master
-[depstat-url]: https://david-dm.org/Lob/Lob-node
-[depstat-image]: https://david-dm.org/Lob/Lob-node.svg
 
-[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url]  [![Build Status](https://travis-ci.org/lob/lob-node.svg?branch=master)](https://travis-ci.org/lob/lob-node) [![Dependency Status](https://david-dm.org/lob/lob-node.svg)](https://david-dm.org/lob/lob-node) [![Dev Dependency Status](https://david-dm.org/lob/lob-node/dev-status.svg)](https://david-dm.org/lob/lob-node) [![Coverage Status](https://coveralls.io/repos/lob/lob-node/badge.svg?branch=master)](https://coveralls.io/r/lob/lob-node?branch=master)
+[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![CI](https://github.com/lob/lob-node/actions/workflows/run_tests.yml/badge.svg)](https://github.com/lob/lob-node/actions/workflows/run_tests.yml) [![Coverage Status](https://coveralls.io/repos/lob/lob-node/badge.svg?branch=master)](https://coveralls.io/r/lob/lob-node?branch=master)
 
 Node.js wrapper for the [Lob.com](https://lob.com) API. See full Lob.com documentation [here](https://lob.com/docs/node).
 ******
@@ -63,6 +59,8 @@ $ git clone git@github.com:lob/lob-node.git
 $ npm install
 ```
 
+**Requirements:** Node.js >= 24.15.0, npm >= 11.5.1
+
 ### Usage
 ```javascript
 const Lob = require('lob')('YOUR API KEY');
@@ -146,18 +144,38 @@ To contribute, please see the [CONTRIBUTING.md](https://github.com/lob/lob-node/
 
 ## Testing
 
-To run the tests with coverage:
+To run unit tests with coverage:
+
+```
+npm test
+```
+
+To run integration tests (requires API keys):
+
+```
+TEST_API_KEY=your_test_key npm run test:integration
+```
+
+Some integration tests require a live API key:
 
 ```
-LOB_API_KEY=YOUR_TEST_API_KEY npm test
+TEST_API_KEY=your_test_key LIVE_API_KEY=your_live_key npm run test:integration
 ```
 
-To run the tests without coverage:
+To run lint:
 
 ```
-LOB_API_KEY=YOUR_TEST_API_KEY npm run test-no-cover
+npm run lint
 ```
 
+To check for vulnerabilities:
+
+```
+npm audit
+```
+
+Target: zero `moderate` and zero `high` findings. Current status: **0 vulnerabilities**.
+
 =======================
 
 Copyright © 2013 Lob.com

package/lib/index.js

@@ -6,10 +6,10 @@ const Resources     = require('./resources');
 const LOB_HOST = process.env.LOB_HOST || 'https://api.lob.com/v1/';
 const LOB_USERAGENT = `Lob/v1 NodeBindings/${ClientVersion}`;
 
-const Lob = function (apiKey, options) {
+const LobClient = function (apiKey, options) {
 
-  if (!(this instanceof Lob)) {
-    return new Lob(apiKey, options);
+  if (!(this instanceof LobClient)) {
+    return new LobClient(apiKey, options);
   }
 
   this.resourceBase = require('./resources/resourceBase');
@@ -28,7 +28,7 @@ const Lob = function (apiKey, options) {
 
   if (options && typeof options === 'object') {
 
-    if (Object.prototype.hasOwnProperty.call(options, 'apiVersion')) {
+    if (Reflect.apply(Object.prototype.hasOwnProperty, options, ['apiVersion'])) {
       this.options.headers['Lob-Version'] = options.apiVersion;
     }
 
@@ -41,7 +41,7 @@ const Lob = function (apiKey, options) {
   this._initResources();
 };
 
-(function () {
+Reflect.apply(function () {
 
   this._initResources = function () {
     const services = Object.keys(Resources);
@@ -52,6 +52,6 @@ const Lob = function (apiKey, options) {
     }
   };
 
-}).call(Lob.prototype);
+}, LobClient.prototype, []);
 
-module.exports = Lob;
+module.exports = LobClient;

package/lib/resources/bankAccounts.js

@@ -30,7 +30,7 @@ class BankAccounts extends ResourceBase {
   }
 
   verify (id, params, callback) {
-    return this._transmit('POST', `${id}/verify`, null, params, callback);
+    return this._transmit('POST', `${encodeURIComponent(id)}/verify`, null, params, callback);
   }
 
 }

package/lib/resources/cards.js

@@ -69,7 +69,7 @@ class Cards extends ResourceBase {
         params[`${p}[${key}]`] = params[p][key];
       }
 
-      delete params[p];
+      Reflect.deleteProperty(params, p);
     }
 
     return this._transmit('POST', null, null, params, headers, callback);

package/lib/resources/letters.js

@@ -55,7 +55,7 @@ class Letters extends ResourceBase {
         params[`${p}[${key}]`] = params[p][key];
       }
 
-      delete params[p];
+      Reflect.deleteProperty(params, p);
     }
 
     return this._transmit('POST', null, null, params, headers, callback);

package/lib/resources/postcards.js

@@ -66,7 +66,7 @@ class Postcards extends ResourceBase {
         params[`${p}[${key}]`] = params[p][key];
       }
 
-      delete params[p];
+      Reflect.deleteProperty(params, p);
     }
 
     return this._transmit('POST', null, null, params, headers, callback);

package/lib/resources/resourceBase.js

@@ -1,7 +1,14 @@
 'use strict';
 
-const Request  = require('request');
-const Stream   = require('stream');
+const axios = require('axios');
+const FormDataLib = require('form-data');
+const Stream = require('stream');
+
+// Helper to create a compatibility response object from axios response
+const createCompatResponse = (axiosResp) => Object.assign({}, axiosResp, {
+  statusCode: axiosResp.status,
+  statusMessage: axiosResp.statusText
+});
 
 class ResourceBase {
 
@@ -20,94 +27,149 @@ class ResourceBase {
 
     const allHeaders = Object.assign({}, this.config.headers, headers);
 
-    const opts = {
-      url: `${this.uri}${uri ? `/${uri}` : ''}`,
+    // Encode URI to prevent path traversal, but only for simple IDs
+    // Composite paths (containing /) should be encoded by the caller
+    const encodedUri = uri && !uri.includes('/') ? encodeURIComponent(uri) : uri;
+
+    const config = {
+      url: `${this.uri}${encodedUri ? `/${encodedUri}` : ''}`,
       method,
-      auth: { user: this.config.apiKey, password: '' },
+      auth: { username: this.config.apiKey, password: '' },
       headers: allHeaders,
-      json: true
+      validateStatus: () => true
     };
 
     if (this.config.agent) {
-      opts.agent = this.config.agent;
+      const isHttps = this.uri.startsWith('https');
+      if (isHttps) {
+        config.httpsAgent = this.config.agent;
+      } else {
+        config.httpAgent = this.config.agent;
+      }
     }
 
     let isMultiPartForm = false;
+    let requiresJson = false;
 
-    for (const key in form) {
+    Object.keys(form || {}).forEach((key) => {
       if (form[key] === undefined) {
-        delete form[key];
+        Reflect.deleteProperty(form, key);
       }
       if (form[key] === true || form[key] === false) {
         form[key] = form[key].toString();
       }
-    }
+    });
 
-    for (const param in form) {
+    Object.keys(form || {}).forEach((param) => {
       const val = form[param];
 
       if (val instanceof Stream.Stream) {
         isMultiPartForm = true;
-        break;
       }
 
-      if (val !== undefined && val !== null && Object.prototype.hasOwnProperty.call(val, 'value')) {
+      if (val !== undefined && val !== null && Reflect.apply(Object.prototype.hasOwnProperty, val, ['value'])) {
         isMultiPartForm = true;
-        break;
       }
-    }
+
+      // Check if array contains objects (requires JSON encoding)
+      if (Array.isArray(val) && val.length > 0 && typeof val[0] === 'object') {
+        requiresJson = true;
+      }
+    });
 
     if (qs) {
-      opts.qs = qs;
+      config.params = qs;
     }
 
     if (form) {
       if (isMultiPartForm) {
-        opts.formData = form;
+        const formData = new FormDataLib();
+
+        Object.keys(form).forEach((key) => {
+          const val = form[key];
+
+          if (val instanceof Stream.Stream) {
+            formData.append(key, val);
+          } else if (val !== undefined && val !== null && Reflect.apply(Object.prototype.hasOwnProperty, val, ['value'])) {
+            formData.append(key, val.value, val.options);
+          } else if (val !== undefined && val !== null) {
+            formData.append(key, val);
+          }
+        });
+
+        config.data = formData;
+        config.headers = Object.assign({}, config.headers, formData.getHeaders());
+      } else if (requiresJson) {
+        // Use JSON for requests with nested objects (e.g., bulk verifications)
+        config.data = form;
+        config.headers['Content-Type'] = 'application/json';
       } else {
-        opts.form = form;
+        const params = new URLSearchParams();
+        Object.keys(form).forEach((key) => {
+          const val = form[key];
+          if (val !== undefined && val !== null) {
+            if (Array.isArray(val)) {
+              // Handle arrays: amounts[0]=23&amounts[1]=34
+              val.forEach((item, index) => {
+                params.append(`${key}[${index}]`, item);
+              });
+            } else {
+              params.append(key, val);
+            }
+          }
+        });
+        config.data = params;
+        config.headers['Content-Type'] = 'application/x-www-form-urlencoded';
       }
     }
 
-    const promise = new Promise((resolve, reject) => {
-      Request(opts, (err, resp, body) => {
+    const promise = axios(config)
+      .then((resp) => {
         /* istanbul ignore next */
-        body = body || {};
-
-        /* istanbul ignore next */
-        if (err) {
-          return reject(err);
-        }
+        const body = resp.data || {};
 
         if (body && body.error) {
           const error = new Error(body.error.message);
           error.status_code = body.error.status_code;
-          error._response = resp;
-          return reject(error);
+          error._response = createCompatResponse(resp);
+          throw error;
         }
 
-        if (resp && resp.statusCode >= 500) {
-          const error = new Error(resp.statusMessage);
-          error.status_code = resp.statusCode;
-          error._response = resp;
-          return reject(error);
+        if (resp.status >= 500) {
+          const error = new Error(resp.statusText);
+          error.status_code = resp.status;
+          error._response = createCompatResponse(resp);
+          throw error;
         }
 
-        Object.defineProperty(body, '_response', {
+        const compatResponse = createCompatResponse(resp);
+
+        Reflect.defineProperty(body, '_response', {
           enumerable: false,
           writable: false,
-          value: resp
+          value: compatResponse
         });
 
-        return resolve(body);
+        return body;
+      })
+      .catch((err) => {
+        // Re-throw errors that were already processed in .then() block
+        // (they have _response attached)
+        /* istanbul ignore next */
+        if (err._response) {
+          throw err;
+        }
+
+        // Network errors (no response from server) - just re-throw
+        // Note: HTTP status errors are handled in .then() since validateStatus: () => true
+        throw err;
       });
-    })
 
     if (callback) {
-      promise.then(body => callback(null, body), err => callback(err));
+      promise.then((body) => callback(null, body), (err) => callback(err));
     }
 
-    return promise
+    return promise;
   }
 
 }

package/lib/resources/selfMailers.js

@@ -66,7 +66,7 @@ class SelfMailers extends ResourceBase {
         params[`${p}[${key}]`] = params[p][key];
       }
 
-      delete params[p];
+      Reflect.deleteProperty(params, p);
     }
 
     return this._transmit('POST', null, null, params, headers, callback);

package/lib/resources/templates.js

@@ -4,7 +4,7 @@ const ResourceBase = require('./resourceBase');
 
 class Template extends ResourceBase {
   constructor (config) {
-      super('templates', config);
+    super('templates', config);
   }
 
   list (options, callback) {
@@ -29,4 +29,4 @@ class Template extends ResourceBase {
   }
 }
 
-module.exports = Template;
+module.exports = Template;

package/lib/resources/usReverseGeocodeLookups.js

@@ -14,4 +14,4 @@ class USReverseGeocodeLookups extends ResourceBase {
 
 }
 
-module.exports = USReverseGeocodeLookups;
+module.exports = USReverseGeocodeLookups;

package/package.json

@@ -10,27 +10,32 @@
     "Lob.com",
     "printing"
   ],
-  "version": "7.0.1",
+  "version": "8.1.0",
   "homepage": "https://github.com/lob/lob-node",
   "author": "Lob <support@lob.com> (https://lob.com/)",
   "dependencies": {
-    "request": "^2.88.0"
+    "axios": "^1.16.1",
+    "form-data": "^4.0.5"
   },
   "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@stylistic/eslint-plugin": "^5.10.0",
     "agentkeepalive": "^4.1.0",
-    "chai": "^2.2.0",
-    "coveralls": "^3.0.5",
-    "cross-env": "^5.2.0",
-    "csv-parse": "^4.4.6",
-    "eslint": "^8.6.0",
-    "eslint-config-lob": "^5.2.0",
+    "chai": "^6.2.2",
+    "cross-env": "^10.1.0",
+    "csv-parse": "^6.2.1",
+    "eslint": "^10.4.0",
+    "eslint-config-lob": "^7.0.0",
+    "eslint-plugin-jsdoc": "^62.9.0",
+    "eslint-plugin-lob": "^3.0.2",
     "generate-changelog": "^1.0.0",
-    "json-2-csv": "^3.15.1",
-    "mocha": "^10.0.0",
+    "globals": "^17.6.0",
+    "json-2-csv": "^5.5.10",
+    "mocha": "^11.7.5",
     "moment": "^2.22.1",
-    "nyc": "^15.1.0",
-    "p-map": "^2.1.0",
-    "uuid": "^3.1.0"
+    "nock": "^14.0.15",
+    "nyc": "^18.0.0",
+    "p-map": "^7.0.4"
   },
   "repository": {
     "type": "git",
@@ -39,12 +44,13 @@
   "bugs:": "https://github.com/lob/lob-node/issues",
   "main": "./lib/index",
   "engines": {
-    "node": ">= 20.0.0",
+    "node": ">= 24.15.0",
     "npm": ">= 11.5.1"
   },
   "scripts": {
-    "test": "cross-env NODE_ENV=test nyc mocha test --recursive --timeout 30000",
-    "test-no-cover": "cross-env NODE_ENV=test mocha test --recursive --timeout 30000",
+    "test": "cross-env NODE_ENV=test nyc mocha test",
+    "test:integration": "mocha --config test/integration/.mocharc.json",
+    "test-no-cover": "cross-env NODE_ENV=test mocha test",
     "coverage": "nyc report --reporter=text",
     "enforce": "nyc check-coverage --statements 100 --lines 100 --functions 100 --branches 100",
     "test-lcov": "nyc report --reporter=lcov",
@@ -63,5 +69,9 @@
     "lib",
     "LICENSE.txt"
   ],
-  "license": "MIT"
+  "license": "MIT",
+  "overrides": {
+    "serialize-javascript": "^7.0.5",
+    "diff": "^9.0.0"
+  }
 }