Update axios dependency due to security vulnerability
sceee opened this issue · 8 comments
Do you want to request a feature or report a bug?
Report an outdated, vulnerable dependency.
What is the current behavior?
axios
is not updated to a fixed version for the following advisory ( https://www.npmjs.com/advisories/1594 ) as bundlesize
depends on axios
^0.19.0
which prevents npm from updating the dependency to 0.21.1
or higher.
If the current behavior is a bug, please provide the steps to reproduce.
N/A
What is the expected behavior?
axios
dependency is updated to >=0.21.1 to depend on a version that fixes the following advisory: https://www.npmjs.com/advisories/1594
If this is a feature request, what is motivation or use case for changing the behavior?
N/A
Please mention other relevant information.
N/A
Additional note, there are two paths bundlesize
pulls in axios
, one being direct and one being transient:
bundlesize > axios
bundlesize > github-build > axios
+1
+1
+1
+1
+1
Fixed in bundlesize@0.18.1
Also fixed in https://github.com/siddharthkp/bundlesize2