Still using old 0.21.1 axios version
ryanmr opened this issue · comments
I'm submitting a...
[ ] Regression
[x] Bug report
[ ] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.
Current behavior
This package locks on "axios": "0.21.1"
, while there are open CVEs for below 0.21.4.
Expected behavior
Either using latest, using axios as a peer dependency or upgrading to the latest non-vuln version.
Minimal reproduction of the problem with instructions
https://snyk.io/vuln/SNYK-JS-AXIOS-1579269
What is the motivation / use case for changing the behavior?
Environment
Nest version: X.Y.Z
this issue occurs with the latest version of this package at 0.0.1
For Tooling issues:
- Node version: XX
- Platform:
Others:
Upgrading from an older nest 7 to nest 8 system, I saw HttpModule was deprecated and followed the update instructions. But this package is below 1.0 and is using a locked dep too.
I know a couple of PRs have been opened already to bump the version up to 0.21.4
but I've submitted an alternative PR which does that and also loosens up the semver notation ^0.21.4
to allow for any future versions to satisfy this package's axios dependency. #149
Can we get this resolved (with #149) ASAP. This is critical for companies that need to stay within compliance in Snyk.
Any news about this? It's quite a blocker for a more than a week.
Any updates? its super critical...
Tracking this here #145