search

frictionlessdata / datapackage-js

A JavaScript library for working with Data Package.
http://frictionlessdata.io/
MIT License
42 stars 15 forks source link

Upgrade axios to 0.19.0 #109

Closed nokome closed 4 years ago

nokome commented 4 years ago

Over in stencila, npm audit is giving us the following

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.18.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @stencila/encoda                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @stencila/encoda > datapackage > axios                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/880                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
<snip>

This should resolve that by upgrading axios to 0.19.0.

Note that npm outdated and npm audit show many other packages could also be updated. However, they are mainly dev dependencies so I haven't addressed them since they do not affect us and I didn't want to risk breaking things.

rufuspollock commented 4 years ago

@nokome thanks for this!

@roll can we get this published ?

roll commented 4 years ago

Thanks.

It's released - https://www.npmjs.com/package/datapackage

nokome commented 4 years ago

Thanks for your quick attention to this!