Context
PR #10 (release 0.5.0) added/raised npm overrides to remediate security advisories (axios, qs, follow-redirects, esbuild). Verified at that time (npm reported no invalid resolutions), most of these are redundant or should be revisited as upstreams bump their declared ranges:
axios ^1.18.0 — redundant: the direct dependency is already ^1.18.0 and @quantcdn/quant-client declares axios ^1.6.1, so axios resolves to 1.18 without the override.follow-redirects ^1.16.0 — redundant: axios ≥1.16 already declares follow-redirects ^1.16.0.qs ^6.15.2 — the one genuine override: express and body-parser pin qs 6.13.0 exactly. Keep until they bump their qs pin (or we upgrade express), then drop.esbuild ^0.28.1 — dev-only (via tsx); drop once tsx pulls a patched esbuild.
Task
Trim overrides down to only those that actually change a resolution, so package.json stays minimal and honest:
- Remove the
axios and follow-redirects overrides; confirm resolved versions are unchanged and npm audit stays clean.
- Re-check
qs and esbuild against current upstream ranges; drop each once upstream covers the patched version.
Entry points
package.json → overrides- Verify with
npm install && npm ls axios qs follow-redirects esbuild (watch for invalid), then npm audit and npm audit --omit=dev.
Acceptance criteria
- Only overrides that change a resolution remain in
package.json.
npm audit and npm audit --omit=dev both report 0 vulnerabilities.- Build, lint, and unit tests pass.
Out of scope
- The transitive-dep runtime test gap (express+qs on
qc login, axios+follow-redirects on API calls). The overrides are within-major, so this is low risk; a targeted smoke test could be added separately if desired.
Context
PR #10 (release 0.5.0) added/raised npm
overridesto remediate security advisories (axios, qs, follow-redirects, esbuild). Verified at that time (npm reported noinvalidresolutions), most of these are redundant or should be revisited as upstreams bump their declared ranges:axios ^1.18.0— redundant: the direct dependency is already^1.18.0and@quantcdn/quant-clientdeclaresaxios ^1.6.1, so axios resolves to 1.18 without the override.follow-redirects ^1.16.0— redundant: axios ≥1.16 already declaresfollow-redirects ^1.16.0.qs ^6.15.2— the one genuine override:expressandbody-parserpinqs 6.13.0exactly. Keep until they bump their qs pin (or we upgrade express), then drop.esbuild ^0.28.1— dev-only (viatsx); drop oncetsxpulls a patched esbuild.Task
Trim
overridesdown to only those that actually change a resolution, sopackage.jsonstays minimal and honest:axiosandfollow-redirectsoverrides; confirm resolved versions are unchanged andnpm auditstays clean.qsandesbuildagainst current upstream ranges; drop each once upstream covers the patched version.Entry points
package.json→overridesnpm install && npm ls axios qs follow-redirects esbuild(watch forinvalid), thennpm auditandnpm audit --omit=dev.Acceptance criteria
package.json.npm auditandnpm audit --omit=devboth report 0 vulnerabilities.Out of scope
qc login, axios+follow-redirects on API calls). The overrides are within-major, so this is low risk; a targeted smoke test could be added separately if desired.