[FEATURE] upgrade cosm dependencies to fix a critical supply chain issue #86
Description
I ran an npm audit on my monorepo and got 1 critical transitive dependency warning caused by
nilion/nuc > cosmjs/stargate > tendermint-rpc > axios > form-data
While I am a bit hesitant to overinterpret the term "critical" in this context, it feels like the code can have real harmful effects when it's part of a production deployment, see: GHSA-fjxv-7rqg-78g4
I didn't test side effects of this upgrade at all, just wanted to bring it to your attention. I checked the latest cosmjs version dependencies, and the later ones don't depend on axios at all anymore.
On another note, I'm 100% not a library publishing expert and I haven't followed the state of this debate for years, but I remember, that some people & stacks advise to not commit lock files to library repos (only to packages that aren't dependency, like apps) as that might prevent clients to pull in the latest versions of transitive dependencies. I don't want to get into that rabbit hole again, maybe you'd want to: https://lsferreira.net/posts/lockfile-lib-misconception/ if not, please ignore the last paragraph ;)