Node.js HTTP client axios pushes broken update breaking production apps

This should affect people only if they're not using specific versions and not using package-lock.json. It's exactly what those features are meant to do, updating should be a deliberate action. It's really bad that it's affected production sites so the devs will hopefully make use of package lock.

All these comments on GitHub are amazing to me. How do you let a new build of your project with a new version of a such a fundamental dependency get deployed to _production_ without being tested first, manually or otherwise?

That comment section in github is just littered with stupid.<p>If you have a dependency like this that could be production breaking then lock it down. Do not upgrade it without someone looking at it. Or have a set of tests that do that for you.<p>Axios broke something but who cares. If your build broke or your application broke then you have something to fix not the axios devs.<p>It is too bad github does not have a &quot;put on your bigboy pants&quot; icon.

Anyone who allowed this to hit production should take a serious look at their testing process. This basically looks like axios&#x27;s get method, which is probably a core use of the library, simply went missing. This should not have been a difficult issue for the most basic automated testing library or manual testing process to identify.<p>That being said, the ultimate culprit here is the nodeJS system. npm install will add the package with it being setup to upgrade to the latest minor version by default, instead of the obvious choice of fixing it to the specific version that was installed.<p>Further, the package-lock.json technology is neither well explained by NodeJS, nor well documented. The process one should use is not well explained either. And often fairly trivial changes will lead to significant changes in package-lock.json.

All those people saying that this is unacceptable negligence from the developers should request a refund. I&#x27;m sure they&#x27;ll get all the money they paid for Axios back in no time.

I have seen this kind of thing(no lock files) in few of recent clients&#x27; work when trying to fix their issues that came &quot;out of nowhere&quot; after recent deployment, as they said.

Mostly a backend dev but worked on a few projects with NPM… so how does this even happen? Devs just updating axios without looking at it just because?

why do people still use axios?