Hey folks, I’m stuck with a tricky problem in my Nuxt 2 project. I’m trying to fix a security issue with Axios, which is buried inside @nuxtjs/axios. I’ve tried adding some stuff to my package.json to force a newer Axios version:
"dependencies": {
"axiosClient": "^1.9.0"
},
"overrides": {
"axiosClient": "^1.9.0"
},
"resolutions": {
"axiosClient": "^1.9.0"
}
When I use a special command, it works fine. But if someone else just does a regular install, the old Axios pops up again in @nuxtjs/axios.
I’m wondering:
- How can I make sure everyone gets the right version without extra steps?
- Is there a way to lock in the fixed version for good in package-lock.json?
I’m using Node 14.21.3. Any ideas would be super helpful!
hey zack, i had a similar headache. try npm-force-resolutions like jessica said, but also check out npm-force-upgrade. it can help force upgrades across the board. just add this to ur scripts:
“preinstall”: “npx npm-force-upgrade”
make sure to run npm i after. it might solve ur problem without extra hassle
I’ve encountered this issue before, and it can be quite frustrating. One solution that’s worked well for me is using npm-force-resolutions. Add this to your package.json:
"scripts": {
"preinstall": "npx npm-force-resolutions"
},
"resolutions": {
"axios": "^1.9.0"
}
Then run npm install as usual. This forces the resolution of axios to the specified version across all dependencies, including nested ones like @nuxtjs/axios.
Remember to commit both package.json and package-lock.json to ensure consistency across your team. If you’re using yarn, you might need to use selective dependency resolutions instead.
Lastly, consider reaching out to the @nuxtjs/axios maintainers about updating their axios dependency. It could benefit the whole community.
I’ve faced similar issues with nested dependencies in Nuxt projects before. One approach that worked for me was using the ‘resolutions’ field in package.json, but specifically targeting the nested package. Try this:
"resolutions": {
"@nuxtjs/axios/axios": "^1.9.0"
}
This tells npm/yarn to use this version for axios when it’s a dependency of @nuxtjs/axios. Remember to delete your node_modules and package-lock.json, then run npm install again.
For locking versions, consider using exact versions (remove the ^ prefix) in your package.json. Also, commit your package-lock.json to version control. This ensures everyone gets the same dependency tree.
If all else fails, you might need to fork @nuxtjs/axios and update its axios dependency directly. It’s more work, but gives you full control.