My project depends on analytics-node
which has a dependency on axios: "^0.16.2"
.
We have been flagged with npm audit
that axios
has a vulnerability in it but its fixed in 0.18.1
.
However, analytics-node
has no release candidate (only beta) which depends on 0.18.1
or higher.
We have tried:
npm audit fix
,npm update axios --depth 2
, npm install [email protected]
The part I am most confused about is why doesnt npm allow us to override analytics-node
version of axios
given that the version should be compatible.
npm-force-resolutions specifically fixes transitive dependency version resolutions for this exact reason.
It would be nicer if there was a supported way to do this with package-lock.json though.