[Bug]: @alpacahq/alpaca-trade-api uses outdated axios version 0.21.4

[ManfredLange]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When I add @alpacahq/alpaca-trade-api version 3.1.2 (newest as of writing) as a dependency, this adds an indirect dependency of axios version 0.21.4 which contains a moderate vulnerability, see GHSA-wf5p-g6vw-rhxx for more details on that vulnerability.

Expected Behavior

When I add @alpacahq/alpaca-trade-api it should add a or the most recent version of all its dependencies, e.g. axios version 1.7.8.

SDK Version I encountered this issue in

alpaca-trade-api 3.1.2

Steps To Reproduce

1. In a node environment, add `@alpacahq/alpaca-trade-api` to the project
2. Use your favorite package manager to fix vulnerabilities, e.g. "pnpm audit fix" to check for vulnerabilities.
3. Use a tool like "pnpm why axios" to confirm that `@alpacahq/alpaca-trade-api` uses it as an indirect dependency

Filled out the Steps to Reproduce section?

• I have entered valid steps to reproduce my issue or have attached a minimally reproducible case in code that shows my issue happening; and understand that without this my issue will be flagged as invalid and closed after 30 days.

Anything else?

It might make sense to consider a practice whereby keeping all dependencies on a recent version.

Also, it might make sense to consider making @alpacahq/alpaca-trade-api ESM-compatible. Based on the information I have at this time, axios is not ESM-compatible. A suitable replacement could be node-fetch which is ESM-compatible.

[chand1012]

Because Axios is such an old version, its missing an adapter for using fetch in environments where that's needed (for example, Cloudflare Workers). Here's the error I got when trying to use this module from within a worker.

[ManfredLange]

Doesn't appear as if there is a lot of interest by Alpaca to keep these libraries up-to-date.

They should make a decision. Either look after these libraries - is it any better for other languages? - or archive the repo,

The worst thing is to just let it sit there in limbo. For people to have to find out by themselves is just a waste of time.

We are considering to ditch this npm package and build our own with just what we need. That'd be a shame, though, as we wouldn't built the same functionality.

Another option would be to fork it and publish it as a "working" package. However, we don't work for free and Alpaca wants us to make use of their API-first brokerage and trading solution. If they want others to maintain this package, then they should indicate what they would be willing to contribute financially, e.g. via sponsoring.

My two cents.

cc @noramehesz @gnvk @markSbrandt

[chand1012]

@ManfredLange seems like the reason this library isn't actively developed is that they're working on an alternative library, alpaca-ts. However I do agree that there should be some resemblance of support for this library, especially with all the open issues and PRs.

[ManfredLange]

@chand1012 Thank you for that link. I wasn't aware.

Trouble with that project: The last commit was in June 2024. This issue - alpacahq/typescript-sdk#1 - is supposed to track progress. It has received just one comment since June 2024 and that was to point out that the NPM package appears to be missing a file.

The last time the package was published to npmjs was in Jun 2024 as well. According to their README.md, test coverage (however it is measured) is at a mere 35%. That should be sitting at over 90% at all times, and that is feasible and reasonable even while the library is being developed (TDD anyone?).

That project has a single contributor who committed from April to June 2024, and after that nothing. No commit, no other contributor.

All up, I don't get the impression that that library is actively developed at the moment. I will keep an eye on it, though, in case it gets moving again.

[vicary]

@ManfredLange Thinking Alpaca being an API-first broker, the current effort to maintain their SDK sends quite a different message TBH.

Quoting my question on discard regarding their TypeScript SDK,

It's disappointing especially when their TypeScript SDK looks much more polished and promising is also ditched, because the main author left their team.

[ManfredLange]

This issue is still present in version 3.1.3 of the package @alpacahq/alpaca-trade-api

[ManfredLange]

@vicary I totally agree. Claiming to be an API-first broker is one thing. Being one is a different one.

It's obviously a business decision whether to provide SDKs or libraries for any language. However, if they provide a library, then it should be properly maintained. If they don't want to properly maintain it, then they should say so. Everybody deserves clarity.

At I see it: At the moment, because of this uncertainty - are they or aren't they maintaining this npm package properly - there is no incentive in the community to create and maintain an alternative. Any such attempt would run the risk of being superseded the next moment, once someone at Alpaca gets the idea, "hey, let's do another release".

I am not expecting them to maintain or not maintain this package. That is their decision. I would very much appreciate, though, to hear an official statement from them one way or the other. With such a statement, we could then all move on and draw our own conclusions.