Closed dfdeagle47 closed 6 months ago
As explained in the GitHub issue, the axios package has a number of CVEs, the latest of which is fixed in versions > 1.6.0.
axios
This PR updates the axios package to the latest version (1.6.7) to address the open CVEs.
The use of axios in this library is fairly basic, it only uses axios.get here. I checked the following documentation:
axios.get
I did not detect a breaking change that would affect the use of axios here:
axios.get(url[, config])
data
I ran the test using npm run test and they still work fine:
npm run test
> npm run test > youtube-captions-scraper@2.0.2 test > ava 2 passed
I also built the package locally (npm run build), and used the output to run the following script:
npm run build
const { getSubtitles } = require('./dist/index'); async function main() { const subtitles = await getSubtitles({ videoID: 'dQw4w9WgXcQ' }); console.log(subtitles); } main();
and the result is as expected:
Some dependencies in yarn.lock file are also updated, mostly because they're sub-dependencies of axios.
yarn.lock
Checks
Context
As explained in the GitHub issue, the
axiospackage has a number of CVEs, the latest of which is fixed in versions > 1.6.0.Description
This PR updates the
axiospackage to the latest version (1.6.7) to address the open CVEs.The use of
axiosin this library is fairly basic, it only usesaxios.gethere. I checked the following documentation:I did not detect a breaking change that would affect the use of
axioshere:axios.get(url[, config])still exists with the same APIdataobjectTesting notes
I ran the test using
npm run testand they still work fine:I also built the package locally (
npm run build), and used the output to run the following script:and the result is as expected:
Misc
Some dependencies in
yarn.lockfile are also updated, mostly because they're sub-dependencies ofaxios.