Active?

[Arjan-Zuidema]

Hi, is this package being maintained? Looks like there are a lot of open tickets and the last release is more than a year ago.

[maria-swierblewska]

Hi @Arjan-Zuidema yes this package is still maintained, we are checking with @Pimm on the plan for the next release plan

[Arjan-Zuidema]

Any timeline? As we are now forced to use a beta package.

[maria-swierblewska]

@Arjan-Zuidema Pimm should get back to us soon, which are the most pressing issues from your perspective?

[vdhpieter]

@maria-swierblewska I would argue this issue: https://github.com/mollie/mollie-api-node/issues/346 is the most pressing, given that it is a security risk in the official package of a payment provider...

[Arjan-Zuidema]

Sorry for the late reply.

The above, code not matching with docs, typescript typings not up-to-date. For a payment provider it seems pretty lax to have outdated dk's imo

[Pimm]

Please note that there is no security vulnerability in the current stable version of the client which might affect users (or at least not a known one).

The related vulnerability in Axios can potentially reveal a secret stored in a cookie to untrusted servers. This client is not designed to run in a browser, so cookies are not a concern. Furthermore, the client connects to the Mollie server exclusively. The vulnerability therefore does not pose an actual security risk to this client or its users.

The TypeScript typings are generated directly from the source code, and should thus be up-to-date.

The docs on docs.mollie.com unfortunately aren't always up-to-date. If you find an inconsistency, please report it.

To answer the original question: yes, the package is being maintained. Until version 4.×.× is released, you can use the beta distribution to eliminate the audit warning:

npm install @mollie/api-client@beta