Since Indico is using axios and the version is not upper-bounded in package.json, I wonder if this has any affect that should be considered, and should there be a emergency-release that bounds the version to a version earlier than v1.14.1.
I don’t know the details of how npm behaves when it selects versions to be fair, so this may not be an issue but wanted to raise this asap.
Indico is not affected. We use a lockfile, and the locked version is far older than the compromised one. There is also no JS build/installation of any kind happening when installing indico, this is all done at build (release) time.
PS: The compromised packages have already been wiped from npm. So even if Indico was installing the latest version (which it isn’t), then the risky period for this particular incident would have been over already.