axios 0.19 is vulnerable

[nothingismagick]

The bug that 0.19 sought to resolve introduced other errors. You can continue to use it the way you are doing - but it's safer to pin to =0.18.1.

  "dependencies": {
    "axios": "0.18.1",

[lirantal]

@nothingismagick can you confirm which errors it is introducing and whether npq is affected by this?

[nothingismagick]

npq IS NOT technically affected as far as I can tell - otherwise I would never have posted it here. The error that MIGHT happen is if you start to actually predefine axios and then consume it later.

[nothingismagick]

The thing is that 0.19 was rushed out the door without real testing and tons of beta / alpha quality code was shipped - which broke a number of interfaces. This has been widely known for about 6 months.

[lirantal]

I see. Is there any benefit then in pinning it down if it doesn't affect us?

[nothingismagick]

I don't know what your plans are - but my concern is that there may be other as yet undiscovered vulnerabilities lying in wait. 0.18.1 ONLY fixed the vulnerability about evil remotes not hanging up.

[lirantal]

I would leave as is unless we see something specific

[nothingismagick]

Okey dokey.

[lirantal]

Nonetheless, appreciate the heads up!