| ▲ | h4ch1 13 hours ago |
| I can't even imagine the scale of the impact with Axios being compromised, nearly every other project uses it for some reason instead of fetch (I never understood why). Also from the report: > Neither malicious version contains a single line of malicious code inside axios itself. Instead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT) Good news for pnpm/bun users who have to manually approve postinstall scripts. |
|
| ▲ | beart 13 hours ago | parent | next [-] |
| > nearly every other project uses it for some reason instead of fetch (I never understood why). Fetch wasn't added to Node.js as a core package until version 18, and wasn't considered stable until version 21. Axios has been around much longer and was made part of popular frameworks and tutorials, which helps continue to propagate it's usage. |
| |
| ▲ | seer 13 hours ago | parent | next [-] | | Also it has interceptors, which allow you to build easily reusable pieces of code - loggers, oauth, retriers, execution time trackers etc. These are so much better than the interface fetch offers you, unfortunately. | | |
| ▲ | reactordev 13 hours ago | parent | next [-] | | You can do all of that in fetch really easily with the init object. fetch('https://api.example.com/data', {
headers: {
'Authorization': 'Bearer ' + accessToken
}
}) | | |
| ▲ | zdragnar 11 hours ago | parent | next [-] | | There are pretty much two usage patterns that come up all the time: 1- automatically add bearer tokens to requests rather than manually specifying them every single time 2- automatically dispatch some event or function when a 401 response is returned to clear the stale user session and return them to a login page. There's no reason to repeat this logic in every single place you make an API call. Likewise, every response I get is JSON. There's no reason to manually unwrap the response into JSON every time. Finally, there's some nice mocking utilities for axios for unit testing different responses and error codes. You're either going to copy/paste code everywhere, or you will write your own helper functions and never touch fetch directly. Axios... just works. No need to reinvent anything, and there's a ton of other handy features the GP mentioned as well you may or may not find yourself needing. | | |
| ▲ | arghwhat 8 hours ago | parent | next [-] | | Interceptors are just wrappers in disguise. const myfetch = async (req, options) => {
let options = options || {};
options.headers = options.headers || {};
options.headers['Authorization'] = token;
let res = await fetch(new Request(req, options));
if (res.status == 401) {
// do your thing
throw new Error("oh no");
}
return res;
}
Convenience is a thing, but it doesn't require a massive library. | | |
| ▲ | 8 hours ago | parent | next [-] | | [deleted] | |
| ▲ | nailer 7 hours ago | parent | prev | next [-] | | That fetch requires so many users to rewrite the same code - that was already handled well by every existing node HTTP client- says something about the standards process. | | |
| ▲ | arghwhat 7 hours ago | parent [-] | | It could also be trivially written for XMLHttpRequest or any node client if needed. Would be nice if they had always been the same, but oh well - having a server and client version isn't that bad. Because it is so few lines it is much more sensible to have everyone duplicate that little snippet manually than import a library and write interceptors for that... (Not only because the integration with the library would likely be more lines of code, but also because a library is a significantly liability on several levels that must be justified by significant, not minor, recurring savings.) | | |
| ▲ | nailer 2 hours ago | parent [-] | | > Because it is so few lines it is much more sensible to have everyone duplicate that little snippet manually Mine's about 100 LOC. There's a lot you can get wrong. Having a way to use a known working version and update that rather than adding a hundred potentially unnecessary lines of code is a good thing. https://github.com/mikemaccana/fetch-unfucked/blob/master/sr... > import a library and write interceptors for that... What you suggesting people would have to intercept? Just import a library you trust and use it. | | |
| ▲ | reactordev an hour ago | parent [-] | | But you said so yourself they are necessary… otherwise you would just use fetch. This reasoning is going around in circles. | | |
| ▲ | nailer an hour ago | parent [-] | | Why the 'but'? Where is the circular reasoning? What are you suggesting we have to intercept? - Don't waste time rewriting and maintaining code unecessarily. Install a package and use it. - Have a minimum release age. I do not know what the issue is. |
|
|
|
| |
| ▲ | pixel_popping 8 hours ago | parent | prev [-] | | but it does for massive DDoS :p |
| |
| ▲ | rjmunro 6 hours ago | parent | prev | next [-] | | > Likewise, every response I get is JSON. fetch responses have a .json() method. It's literally the first example in MDN: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/U... It's literally easier than not using JSON because I have to think about if I want `repsponse.text()` or `response.body()`. | |
| ▲ | abluecloud 6 hours ago | parent | prev | next [-] | | that's such a weak argument. you can write about 20 lines of code to do exactly this without requiring a third party library. | |
| ▲ | anon7000 11 hours ago | parent | prev | next [-] | | Helper functions seem trivial and not like you’re reimplementing much. | | |
| ▲ | creshal 8 hours ago | parent [-] | | Don't be silly, this is the JS ecosystem. Why use your brain for a minute and come up with a 50 byte helper function, if you can instead import a library with 3912726 dependencies and let the compiler spend 90 seconds on every build to tree shake 3912723 out again and give you a highly optimized bundle that's only 3 megabytes small? |
| |
| ▲ | sayamqazi 10 hours ago | parent | prev | next [-] | | > usage patterns IMO interceptors are bad. they hide what might get transformed with the API call at the place it is being used. > Likewise, every response I get is JSON. There's no reason to manually unwrap the response into JSON every time. This is not true unless you are not interfacing with your own backends. even then why not just make a helper that unwraps as json by default but can be passed an arg to parse as something else | |
| ▲ | hiccuphippo 4 hours ago | parent | prev [-] | | One more use case for Axios is it automatically follows redirects, forwarding headers, and more importantly, omiting or rewriting the headers that shouldn't be forwarded for security reasons. | | |
| |
| ▲ | mhio 12 hours ago | parent | prev [-] | | What does an interceptor in the RequestInit look like? | | |
| |
| ▲ | meekins 13 hours ago | parent | prev [-] | | It also supports proxies which is important to some corporate back-end scenarios | | |
| |
| ▲ | nedt 2 hours ago | parent | prev [-] | | Before that we had node-fetch. If you already use a dependency why not one that's pretty much what will come natively to every JS runtime soon. | | |
| ▲ | zarzavat 2 hours ago | parent [-] | | The fetch API is designed for browsers. It's not designed for servers. Fetch may work for a particular use case on the server, it may not. Servers have needs over and above what a browser allows the client to do. |
|
|
|
| ▲ | PunchyHamster 4 hours ago | parent | prev | next [-] |
| > I can't even imagine the scale of the impact with Axios being compromised, nearly every other project uses it for some reason instead of fetch (I never understood why). You can remember this answer for every time you ask same question again: "Coz whatever else/builtin was before was annoying enough for common use cases" |
|
| ▲ | eviks 13 hours ago | parent | prev | next [-] |
| > Good news for pnpm/bun users who have to manually approve postinstall scripts. Would they not have approved it for earlier versions? But also wouldn't the chance of addition automatic approval be high (for such a widely used project)? |
| |
| ▲ | arcfour 12 hours ago | parent | next [-] | | The prompt would be to approve the new malicious package (plain-crypto-js)'s scripts, too, which could tip users off that something was fishy. If they were used to approving one for axios and the attackers had just overwrote axios's own instead of making a new package, it would probably catch people out. | |
| ▲ | bpev 11 hours ago | parent | prev | next [-] | | Assuming axios didn't have a postinstall script before, it wouldn't have been approved for a previous version. If you ignore it, you ignore it, but postinstall scripts are relatively rare in npm deps, so it would seem a bit out of place when the warning pops up. | |
| ▲ | h4ch1 12 hours ago | parent | prev [-] | | Can't speak for other devs but I like to read postinstall scripts or at least put them through an LLM if they're too hard to grok. It's also a little context dependent, for example if I was using Axios and I see a prompt to run the plain-crypto-js postinstall script, alarm bells would instantly ring, which would at least make me look up the changelog to see why this is happening. In most cases I don't even let them run unless something breaks/doesn't work as expected. |
|
|
| ▲ | martmulx 13 hours ago | parent | prev | next [-] |
| Does pnpm block postinstall on transitive deps too or just top-level? We have it configured at work but I've never actually tested whether it catches scripts from packages that get pulled in as sub-dependencies. |
| |
| ▲ | arcfour 12 hours ago | parent | next [-] | | It prompts for transitive dependencies, too. I have never had workerd as a direct dependency of any project of mine but I get prompted to approve its postinstall script whenever I install cloudflare's wrangler package (since workerd needs to download the appropriate Workers runtime for your platform). | |
| ▲ | dawnerd 12 hours ago | parent | prev [-] | | From what I can tell, it blocks it everywhere. | | |
| ▲ | martmulx 8 hours ago | parent [-] | | That's solid, really helps lock down the supply chain attack surface. Do you ever end up having to whitelist anything that legitimately needs to run on install? | | |
| ▲ | homebrewer 6 hours ago | parent [-] | | After using pnpm for years (at least 5, don't remember exactly), I've only ever had to whitelist one library that uses a postinstall script to download a native executable for your system. And even this is not necessary, it's just poorly designed. For example, esbuild and typescript 7 split binaries for different systems and architectures into separate packages, and rely on your package manager to pull the correct one. |
|
|
|
|
| ▲ | TZubiri 3 hours ago | parent | prev | next [-] |
| >(I never understood why). Because axios existed before the builtin fetch, and so there's a lot of stackoverflow answers explaining how to use fetch, and the llm models are trained on that, so they will write axios requests instead of fetch |
|
| ▲ | 12 hours ago | parent | prev [-] |
| [deleted] |
