This should affect people only if they're not using specific versions and not using package-lock.json. It's exactly what those features are meant to do, updating should be a deliberate action. It's really bad that it's affected production sites so the devs will hopefully make use of package lock.
The sad fact is that the number of users who have good testing of their HTTP client is smaller than the number of people who have automatic dependency updates or would merge without successfully testing this.
With unit testing it us generally considered bad practice to test your dependencies and many people don't have good integration tests.
Either way people should not pull in new versions of dependencies and automatically deploy those to prod. One of the comments mentioned a app store review, which means that they pull in unpinned versions in a app that they cannot update by themselves. That is crazy.
All those people saying that this is unacceptable negligence from the developers should request a refund. I'm sure they'll get all the money they paid for Axios back in no time.
That comment section in github is just littered with stupid.
If you have a dependency like this that could be production breaking then lock it down. Do not upgrade it without someone looking at it. Or have a set of tests that do that for you.
Axios broke something but who cares. If your build broke or your application broke then you have something to fix not the axios devs.
It is too bad github does not have a "put on your bigboy pants" icon.
All these comments on GitHub are amazing to me. How do you let a new build of your project with a new version of a such a fundamental dependency get deployed to _production_ without being tested first, manually or otherwise?
More specifically: A public CDN whose content they don't own, and that can change at any point in time.
If it would be a private CDN which points only to the content they explicitly published as part of a build&release process they wouldn't have the problem.
If you rely on public artifacts that others published, all your availability and security guarantees are gone.
I have seen this kind of thing(no lock files) in few of recent clients' work when trying to fix their issues that came "out of nowhere" after recent deployment, as they said.
Lockfiles in Node do not work well. Many projects outright disable them and instead pin dependencies. They were designed and implemented in a rush, and it shows.
Low level? Really? Can you point something that is achieved on axios with few lines of code that fetch couldn't do it with few lines of code too? I can't considerate fecth.get().then(res => res.json().then(data => /.../)) A Low level thing.
Even if some difference actually matters (e.g. setting a timeout), it would be wise to wrap axios or fetch in a custom function, which obviates the need to use either for most developers using the codebase.
I don't use axios often, but if I need to intercept requests, or set global headers I always need to wrap my fetch function and creating my own "axios". Axios can do these things without hassle.
Anyone who allowed this to hit production should take a serious look at their testing process. This basically looks like axios's get method, which is probably a core use of the library, simply went missing. This should not have been a difficult issue for the most basic automated testing library or manual testing process to identify.
That being said, the ultimate culprit here is the nodeJS system. npm install will add the package with it being setup to upgrade to the latest minor version by default, instead of the obvious choice of fixing it to the specific version that was installed.
Further, the package-lock.json technology is neither well explained by NodeJS, nor well documented. The process one should use is not well explained either. And often fairly trivial changes will lead to significant changes in package-lock.json.
It looks like at least some of the individuals claiming production issues are pulling the latest version of Axios from a CDN. It doesn't seem like they actively pushed a release to production without adequate testing. Not that I disagree with your overall point, but it's at least a little bit less damning.
25 comments
[ 8.1 ms ] story [ 85.0 ms ] threadWith unit testing it us generally considered bad practice to test your dependencies and many people don't have good integration tests.
https://github.com/axios/axios#installing
If you have a dependency like this that could be production breaking then lock it down. Do not upgrade it without someone looking at it. Or have a set of tests that do that for you.
Axios broke something but who cares. If your build broke or your application broke then you have something to fix not the axios devs.
It is too bad github does not have a "put on your bigboy pants" icon.
Many of these products are likely commercial based on their comments
Not pinning and not testing is egregious enough but to use a CDN for a web-based cross-platform app? Absurd.
If it would be a private CDN which points only to the content they explicitly published as part of a build&release process they wouldn't have the problem.
If you rely on public artifacts that others published, all your availability and security guarantees are gone.
That being said, the ultimate culprit here is the nodeJS system. npm install will add the package with it being setup to upgrade to the latest minor version by default, instead of the obvious choice of fixing it to the specific version that was installed.
Further, the package-lock.json technology is neither well explained by NodeJS, nor well documented. The process one should use is not well explained either. And often fairly trivial changes will lead to significant changes in package-lock.json.