I don’t have any direct Axios dependencies, but in searching my system saw that Meteor 3.4 does through rspack (@rsdoctor/rspack-plugin).
rsdoctor have already patched with 1.5.7
To be safe, I added the following to my package.json:
"overrides": {
"axios": "1.14.0"
}
and pinned
"devDependencies": {
"@rsdoctor/rspack-plugin": "1.5.7",
},
Don’t know if more needs to be done. The first link has steps to check if your system was affected.
Thanks for the report.
We will ensure that in the next Meteor 3.4.1 release, @rsdoctor/rspack-plugin is set to at least version 1.5.7. This way, any Meteor app will get the update automatically when running meteor update --npm or when starting the app with the new Meteor version.
This brings up a question about meteor’s package manager and build system issues.
To my understanding, each meteor has a certain node and npm version bundled with it.
Since npm 11.10.0 is the first version to have support for the “min-release-age” flag, it’s quite inconvenient to be hostage to older npm versions if you’re a meteor user.
What are the best practices regarding package managers with meteor?