question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Outdated axios dependencies

See original GitHub issue

Doing a fresh install of Appium makes npm audit throw a tantrum: found 153 vulnerabilities (2 low, 151 high)

All of the found vulnerabilities seems to be caused by old versions of Axios.

I haven’t looked into whether or not these vulnerabilities actually affect Appium, but either way it would be nice to not have npm nagging you.

Environment

  • Appium version (or git revision) that exhibits the issue: 1.20.2
  • Desktop OS/version used to run Appium: macOS 11.2.1
  • Node.js version (unless using Appium.app|exe): v14.15.5
  • Npm or Yarn package manager: Npm 6.14.11
  • Appium CLI or Appium.app|exe: CLI

Code To Reproduce Issue [ Good To Have ]

npm init -y npm i appium

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6

github_iconTop GitHub Comments

1reaction
Simon-TechFormcommented, Feb 11, 2021

These two packages are third-party dependencies, which we cannot influence much, their authors decide it on their own when to publish new versions.

Regarding the npm behaviour: it could be it is using a shrinkwrap file, where versions of particular modules are locked, so it does not try to get updated versions of them. This should not be the case for appium@beta though, which is not shrinkwrapped

Yeah, I noticed that. We’ll just have to wait.

Ah, there’s a shrinkwrap file in appium. I did not notice that. Thank you.

Should we keep this issue open for other npm users to see? Maybe until the huge amount of vulnerabilities are removed from the package?

If not, feel free to close this.

0reactions
mykola-mokhnachcommented, Feb 11, 2021

These two packages are third-party dependencies, which we cannot influence much. The authors decide it on their own when to publish new versions.

Regarding the npm behaviour: it could be it is using a shrinkwrap file, where versions of particular modules are locked, so it does not try to get updated versions of them. This should not be the case for appium@beta though, which is not shrinkwrapped

Read more comments on GitHub >

github_iconTop Results From Across the Web

Axios and lodash dependencies are outdated and ... - GitHub
Both axios and lodash are listed as dependencies of expo-cli, and these versions each have security advisories published for them (axios, lodash) ...
Read more >
axios - npm
Promise based HTTP client for the browser and node.js. Latest version: 1.2.1, last published: 23 days ago. Start using axios in your project ......
Read more >
Axios shipped a buggy version and it broke many ... - Reddit
Axios shipped a buggy version and it broke many productions apps. Let this be a lesson to pin your dependencies! · The project...
Read more >
Why did npm update axios fail to update but npm uninstall ...
npm verb outdated not updating axios because it's currently at the maximum version that matches its specified semver range.
Read more >
atlassian / bitbucket-connect / Pull Request #8: Updated axios ...
This change bumps the axios dependency and updates some tests to use the newer error object shape. This doesn't update every outdated dependency, ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found