⚠️ axios issue (i just found out… maybe check your project once)
so yeah… i just came across this today and it honestly surprised me 😅
apparently axios had some kind of supply chain issue yesterday (31 march).
for a small time window, some bad versions were published.
and the weird part is…
👉 just running npm install was enough
👉 you didn’t even have to use axios in your code
what i understood (might not be perfect)
from what i read:
- some axios versions were compromised
- there was a hidden dependency (
plain-crypto-js) - it had a script that runs on install
- it was trying to access env vars / keys / stuff like that
ngl… didn’t know npm packages can do this automatically
when this happened
i think it was something like:
31 march — around 3 hours window
so if you installed deps around that time, maybe just check once
how i checked my project
i didn’t do anything fancy
just looked inside my package-lock.json and searched for:
axios@1.14.1axios@0.30.4plain-crypto-js
also ran this:
grep -E "axios" package-lock.json | grep -E "1\.14\.1|0\.30\.4"
it returned nothing for me so i think i’m safe (hopefully 😅)
if you find it (what i read you should do)
i haven’t faced it personally but from what others said:
- downgrade axios to safe version
- delete node_modules + lockfile
- reinstall everything
- and rotate keys (this part sounds scary tbh)
small takeaway (for me at least)
i used to not care much about lockfiles or versions
but this made me realize:
- things can break even if your code is fine
- dependencies are a big trust system
- maybe pinning versions is actually important
that’s it
i’m still learning all this so if i got something wrong pls correct me 🙏
just sharing in case it helps someone 👍
Top comments (1)
Complete AI Contant