You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to check whether you are already aware of the recent Axios supply chain incident involving the compromised versions 1.14.1 and 0.30.4. According to the public reports, these releases were maliciously published and should not be used.
From our side, we noticed that the latest @sap/cds version is currently using axios 1.14.0, which appears to be just before the compromised 1.14.1 release. Based on that, I wanted to understand whether you plan to wait until the Axios situation is fully stabilized before updating Axios again in future versions of this library.
Could you please clarify:
Are you already aware of this Axios incident and its impact on downstream consumers?
Do you plan to keep the current Axios version pinned for now?
Will you wait for Axios to stabilize further before resuming updates in future releases of this library?
I am asking mainly to understand the dependency strategy and the expected direction for consumers who rely on this package in enterprise environments.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Capire Docs & Samples
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I would like to check whether you are already aware of the recent Axios supply chain incident involving the compromised versions 1.14.1 and 0.30.4. According to the public reports, these releases were maliciously published and should not be used.
From our side, we noticed that the latest
@sap/cdsversion is currently using axios 1.14.0, which appears to be just before the compromised1.14.1release. Based on that, I wanted to understand whether you plan to wait until the Axios situation is fully stabilized before updating Axios again in future versions of this library.Could you please clarify:
I am asking mainly to understand the dependency strategy and the expected direction for consumers who rely on this package in enterprise environments.
Fonts:
axios/axios#10604 (Official)
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Thank you.
Beta Was this translation helpful? Give feedback.
All reactions