[Bug]: @alpacahq/alpaca-trade-api uses outdated axios version 0.21.4 #277
Comments
|
Because Axios is such an old version, its missing an adapter for using fetch in environments where that's needed (for example, Cloudflare Workers). Here's the error I got when trying to use this module from within a worker. |
|
Doesn't appear as if there is a lot of interest by Alpaca to keep these libraries up-to-date. They should make a decision. Either look after these libraries - is it any better for other languages? - or archive the repo, The worst thing is to just let it sit there in limbo. For people to have to find out by themselves is just a waste of time. We are considering to ditch this npm package and build our own with just what we need. That'd be a shame, though, as we wouldn't built the same functionality. Another option would be to fork it and publish it as a "working" package. However, we don't work for free and Alpaca wants us to make use of their API-first brokerage and trading solution. If they want others to maintain this package, then they should indicate what they would be willing to contribute financially, e.g. via sponsoring. My two cents. |
|
@ManfredLange seems like the reason this library isn't actively developed is that they're working on an alternative library, alpaca-ts. However I do agree that there should be some resemblance of support for this library, especially with all the open issues and PRs. |
|
@chand1012 Thank you for that link. I wasn't aware. Trouble with that project: The last commit was in June 2024. This issue - alpacahq/typescript-sdk#1 - is supposed to track progress. It has received just one comment since June 2024 and that was to point out that the NPM package appears to be missing a file. The last time the package was published to npmjs was in Jun 2024 as well. According to their README.md, test coverage (however it is measured) is at a mere 35%. That should be sitting at over 90% at all times, and that is feasible and reasonable even while the library is being developed (TDD anyone?). That project has a single contributor who committed from April to June 2024, and after that nothing. No commit, no other contributor. All up, I don't get the impression that that library is actively developed at the moment. I will keep an eye on it, though, in case it gets moving again. |
|
@ManfredLange Thinking Alpaca being an API-first broker, the current effort to maintain their SDK sends quite a different message TBH. Quoting my question on discard regarding their TypeScript SDK,
It's disappointing especially when their TypeScript SDK looks much more polished and promising is also ditched, because the main author left their team. |
Is there an existing issue for this?
Current Behavior
When I add @alpacahq/alpaca-trade-api version 3.1.2 (newest as of writing) as a dependency, this adds an indirect dependency of axios version 0.21.4 which contains a moderate vulnerability, see GHSA-wf5p-g6vw-rhxx for more details on that vulnerability.
Expected Behavior
When I add
@alpacahq/alpaca-trade-apiit should add a or the most recent version of all its dependencies, e.g. axios version 1.7.8.SDK Version I encountered this issue in
alpaca-trade-api 3.1.2
Steps To Reproduce
Filled out the Steps to Reproduce section?
Anything else?
It might make sense to consider a practice whereby keeping all dependencies on a recent version.
Also, it might make sense to consider making
@alpacahq/alpaca-trade-apiESM-compatible. Based on the information I have at this time,axiosis not ESM-compatible. A suitable replacement could benode-fetchwhich is ESM-compatible.The text was updated successfully, but these errors were encountered: