node-slack-sdk icon indicating copy to clipboard operation
node-slack-sdk copied to clipboard
verified publisher icon slackapi

Remove Axios from Slack Packages

Open JacobWilson01 opened this issue 4 months ago • 6 comments

Axios has a ton of vulnerabilities that come up frequently (It's almost once a month), can we replace/remove this package?

Packages:

Select all that apply:

  • [ x] @slack/web-api
  • [ ] @slack/rtm-api
  • [x ] @slack/webhooks
  • [ ] @slack/oauth
  • [ ] @slack/socket-mode
  • [ ] @slack/types
  • [ ] I don't know

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

JacobWilson01 avatar Sep 11 '25 22:09 JacobWilson01

Hey @JacobWilson01! 👋 Thanks for sharing this with us.

We're keeping track of this in #1525 for #2359 and are making active developments to remove the axios package in an upcoming release with hopes of a more compatible alternative.

zimeg avatar Sep 11 '25 23:09 zimeg

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar Oct 13 '25 00:10 github-actions[bot]

#2368 was closed on the basis this would be actioned. Please reopen #2368 if you aren't going to remove axios imminently

MarkFarmiloe avatar Oct 17 '25 08:10 MarkFarmiloe

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar Nov 24 '25 00:11 github-actions[bot]

this issue needs to be prioritized

andriyor avatar Nov 24 '25 10:11 andriyor

代替ライブラリの候補はいくつか検討済みでしょうか? あくまで個人的な一例ですが、以下のライブラリを2年ほど使っていて大きな脆弱性指摘はなかったかと記憶しています。 https://www.npmjs.com/package/postman-request

代替ライブラリへの移行を進めている場合でも、時間がかかる場合は axios のバージョンアップにより CVE-2025-58754 の対処をしていただければ幸いです。

makiRails avatar Dec 02 '25 06:12 makiRails