Hacker News

As others said, no one should be using axios in 2026, fetch has been available in node v18 (experimental) in 2022 [0], stable since v21 in 2023 [1], although Claude Code sometimes will suggest it, probably worth adding a rule.

Side note. I'm sure many of you know this, but for those who don't, setting min-release-age=7 in .npmrc (needs npm 11.10+), would have made the malicious axios (@1.14.1 and @0.30.4) invisible to npm install (removed within ~3h). Same for ua-parser-js (caught within hours) and node-ipc (caught in days). It wouldn't have prevented event-stream (over 2 months), but you can't win them all.

Some examples (hat tip to [2]):

  ~/.config/uv/uv.toml
  exclude-newer = "7 days"

  ~/.npmrc
  min-release-age=7 # days

  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes

  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds

p.s. sorry for the plug, but we released a free tool ([3]) to gather all these settings + a cli to auto configure them. You can set these settings without it, but if you are confused (like me) with what is in minutes, what's in seconds, what is in days and where each of them is located, this might save you a few keystrokes / prompts (it also ensures you have the right min version for the package manager, otherwise you'll have the settings but they would be ignored...)

[0] https://nodejs.org/en/blog/announcements/v18-release-announc...

[1] https://nodejs.org/en/blog/release/v21.0.0

[2] https://news.ycombinator.com/item?id=47513932

[3] https://depsguard.com

ga_to 8 hours ago [ - ]

Nice ad you got there. How do I define request interceptors with fetch? Axios does it.

eranation 7 hours ago [ - ]

You can add your own wrapper but if you're building a whole auth/retry/logging layer, axios is probably better for that. For most other use cases a small wrapper will do the job.

Didn't mean it as an ad btw, the supply chain risk is real though. Axios could be the best HTTP library ever written and it still would've dropped a RAT on your laptop on March 31 without min-release-age set.

tlb 3 hours ago [ - ]

Of course, when everyone sets min-release-age=7, supply chain attacks won't get noticed until 7 days later. So you should set min-release-age=14 and be safe forever.

eranation 2 hours ago [ - ]

I chuckled, but in all seriousness, thankfully those individuals and companies who often discover these attacks listen in on every new npm push and analyze it relatively fast. The time to detect is sometimes in minutes in recent months, less than the process of getting npm to remove the packages. Not always but looking at recent ones and advances in latest SOTA models make detection easier than ever. It might change as attackers get more sophisticated.