[Bug]: Multiple Security Vulnerabilities regarding Dependencies (e.g. axios)

[iocron]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

npm is complaining about multiple dependencies (e.g. axios) with severity "high". I've created a pull request regarding those issues (#288).

There is a overlapping (but outdated) issue specific to axios (#269). But It seems like nearly all pull requests are stalled since 2024.

How to reproduce:

1. git clone git@github.com:alpacahq/alpaca-trade-api-js.git
2. npm audit

Expected Behavior

No response

SDK Version I encountered this issue in

alpaca-trade-api-js v3.1.3

Steps To Reproduce

How to reproduce:
1. `git clone git@github.com:alpacahq/alpaca-trade-api-js.git`
2. `npm audit`

Filled out the Steps to Reproduce section?

• I have entered valid steps to reproduce my issue or have attached a minimally reproducible case in code that shows my issue happening; and understand that without this my issue will be flagged as invalid and closed after 30 days.

Anything else?

No response

[gmorana]

I got this audit report for Alpaca version 3.1.3

npm audit report

axios <=0.29.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - GHSA-jr5f-v2jv-69x6
fix available via npm audit fix --force
Will install @alpacahq/alpaca-trade-api@1.4.2, which is a breaking change
node_modules/axios
@alpacahq/alpaca-trade-api >=2.0.0
Depends on vulnerable versions of axios
node_modules/@alpacahq/alpaca-trade-api

If the "npm audit fix --force" is run, then it breaks my app with the old Alpaca API.
Do you happen to have a fix soon?