Outdated axios dependencies
See original GitHub issueDoing a fresh install of Appium makes npm audit throw a tantrum:
found 153 vulnerabilities (2 low, 151 high)
All of the found vulnerabilities seems to be caused by old versions of Axios.
I haven’t looked into whether or not these vulnerabilities actually affect Appium, but either way it would be nice to not have npm nagging you.
Environment
- Appium version (or git revision) that exhibits the issue: 1.20.2
- Desktop OS/version used to run Appium: macOS 11.2.1
- Node.js version (unless using Appium.app|exe): v14.15.5
- Npm or Yarn package manager: Npm 6.14.11
- Appium CLI or Appium.app|exe: CLI
Code To Reproduce Issue [ Good To Have ]
npm init -y
npm i appium
Issue Analytics
- State:
- Created 3 years ago
- Comments:6
Top Results From Across the Web
Axios and lodash dependencies are outdated and ... - GitHub
Both axios and lodash are listed as dependencies of expo-cli, and these versions each have security advisories published for them (axios, lodash) ...
Read more >axios - npm
Promise based HTTP client for the browser and node.js. Latest version: 1.2.1, last published: 23 days ago. Start using axios in your project ......
Read more >Axios shipped a buggy version and it broke many ... - Reddit
Axios shipped a buggy version and it broke many productions apps. Let this be a lesson to pin your dependencies! · The project...
Read more >Why did npm update axios fail to update but npm uninstall ...
npm verb outdated not updating axios because it's currently at the maximum version that matches its specified semver range.
Read more >atlassian / bitbucket-connect / Pull Request #8: Updated axios ...
This change bumps the axios dependency and updates some tests to use the newer error object shape. This doesn't update every outdated dependency, ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yeah, I noticed that. We’ll just have to wait.
Ah, there’s a shrinkwrap file in appium. I did not notice that. Thank you.
Should we keep this issue open for other npm users to see? Maybe until the huge amount of vulnerabilities are removed from the package?
If not, feel free to close this.
These two packages are third-party dependencies, which we cannot influence much. The authors decide it on their own when to publish new versions.
Regarding the npm behaviour: it could be it is using a shrinkwrap file, where versions of particular modules are locked, so it does not try to get updated versions of them. This should not be the case for appium@beta though, which is not shrinkwrapped