search

alpacahq / alpaca-trade-api-js

Node.js library for Alpaca Trade API.
https://www.npmjs.com/package/@alpacahq/alpaca-trade-api
Apache License 2.0
515 stars 134 forks source link

Update axios to fix Cross-Site Request Forgery Vulnerability #269

Open mozeryansky opened 1 month ago

mozeryansky commented 1 month ago

npm audit shows the version of axios is outdated and has a vulnerability:

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @alpacahq/alpaca-trade-api@1.4.2, which is a breaking change
node_modules/axios
  @alpacahq/alpaca-trade-api  >=2.0.0
  Depends on vulnerable versions of axios
  node_modules/@alpacahq/alpaca-trade-api

I fixed this by upgrading the version and tested that everything still works:

  1. git clone ...
  2. npm i
  3. npm run pretest && npm run test Confirmed all tests pass
  4. npm i axios@latest
  5. npm run pretest && npm run test All tests pass