Closed tiptenbrink closed 7 months ago
I second the need for upgrading the axios dependency. Even though the vulnerability doesn't apply to the way mollie uses the dependency, it takes away time from every developer having to research whether mollie is affected or not.
The new major version has been released (as a beta for now).
to install use this:
npm install @mollie/api-client@beta
Hi,
Currently Mollie relies on axios ^0.27.2. This means any version 0.28 and beyond (including 1.0+ versions) don't satisfy this requirement. Recently, a CVE was published for axios versions <1.6.0 (see https://github.com/advisories/GHSA-wf5p-g6vw-rhxx). It would be great if 1.6.0 would at least be included as a supported version (by e.g. changing the depenency to >=0.27.2, <1.7.0 or <2.0.0 or similar.
I can maybe make a PR if that is desired.