upvote

points

by h4ch120 hours ago |
comments
upvoteby beart20 hours ago|
next
[-]
> nearly every other project uses it for some reason instead of fetch (I never understood why).

Fetch wasn't added to Node.js as a core package until version 18, and wasn't considered stable until version 21. Axios has been around much longer and was made part of popular frameworks and tutorials, which helps continue to propagate it's usage.

reply
upvoteby seer19 hours ago|
parent|
next
[-]
Also it has interceptors, which allow you to build easily reusable pieces of code - loggers, oauth, retriers, execution time trackers etc.

These are so much better than the interface fetch offers you, unfortunately.

reply
upvoteby reactordev19 hours ago|
parent|
next
[-]
You can do all of that in fetch really easily with the init object.

   fetch('https://api.example.com/data', {
  headers: {
    'Authorization': 'Bearer ' + accessToken
  }
})
reply
upvoteby zdragnar18 hours ago|
parent|
next
[-]
There are pretty much two usage patterns that come up all the time:

1- automatically add bearer tokens to requests rather than manually specifying them every single time

2- automatically dispatch some event or function when a 401 response is returned to clear the stale user session and return them to a login page.

There's no reason to repeat this logic in every single place you make an API call.

Likewise, every response I get is JSON. There's no reason to manually unwrap the response into JSON every time.

Finally, there's some nice mocking utilities for axios for unit testing different responses and error codes.

You're either going to copy/paste code everywhere, or you will write your own helper functions and never touch fetch directly. Axios... just works. No need to reinvent anything, and there's a ton of other handy features the GP mentioned as well you may or may not find yourself needing.

reply
upvoteby arghwhat15 hours ago|
parent|
next
[-]
Interceptors are just wrappers in disguise.

    const myfetch = async (req, options) => {
        let options = options || {};
        options.headers = options.headers || {};
        options.headers['Authorization'] = token;
    
        let res = await fetch(new Request(req, options));
        if (res.status == 401) {
            // do your thing
            throw new Error("oh no");
        }
        return res;
    }
Convenience is a thing, but it doesn't require a massive library.
reply
upvoteby 15 hours ago|
parent|
next
[-]
deleted
reply
upvoteby nailer14 hours ago|
parent|
prev|
next
[-]
That fetch requires so many users to rewrite the same code - that was already handled well by every existing node HTTP client- says something about the standards process.
reply
upvoteby arghwhat14 hours ago|
parent|
[-]
It could also be trivially written for XMLHttpRequest or any node client if needed. Would be nice if they had always been the same, but oh well - having a server and client version isn't that bad.

Because it is so few lines it is much more sensible to have everyone duplicate that little snippet manually than import a library and write interceptors for that...

(Not only because the integration with the library would likely be more lines of code, but also because a library is a significantly liability on several levels that must be justified by significant, not minor, recurring savings.)

reply
upvoteby nailer8 hours ago|
parent|
[-]
> Because it is so few lines it is much more sensible to have everyone duplicate that little snippet manually

Mine's about 100 LOC. There's a lot you can get wrong. Having a way to use a known working version and update that rather than adding a hundred potentially unnecessary lines of code is a good thing. https://github.com/mikemaccana/fetch-unfucked/blob/master/sr...

> import a library and write interceptors for that...

What you suggesting people would have to intercept? Just import a library you trust and use it.

reply
upvoteby reactordev8 hours ago|
parent|
[-]
But you said so yourself they are necessary… otherwise you would just use fetch. This reasoning is going around in circles.
reply
upvoteby nailer8 hours ago|
parent|
[-]
Why the 'but'? Where is the circular reasoning? What are you suggesting we have to intercept?

- Don't waste time rewriting and maintaining code unecessarily. Install a package and use it.

- Have a minimum release age.

I do not know what the issue is.

reply
upvoteby pixel_popping14 hours ago|
parent|
prev|
[-]
but it does for massive DDoS :p
reply
upvoteby rjmunro13 hours ago|
parent|
prev|
next
[-]
> Likewise, every response I get is JSON.

fetch responses have a .json() method. It's literally the first example in MDN: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/U...

It's literally easier than not using JSON because I have to think about if I want `repsponse.text()` or `response.body()`.

reply
upvoteby abluecloud13 hours ago|
parent|
prev|
next
[-]
that's such a weak argument. you can write about 20 lines of code to do exactly this without requiring a third party library.
reply
upvoteby anon700017 hours ago|
parent|
prev|
next
[-]
Helper functions seem trivial and not like you’re reimplementing much.
reply
upvoteby creshal15 hours ago|
parent|
[-]
Don't be silly, this is the JS ecosystem. Why use your brain for a minute and come up with a 50 byte helper function, if you can instead import a library with 3912726 dependencies and let the compiler spend 90 seconds on every build to tree shake 3912723 out again and give you a highly optimized bundle that's only 3 megabytes small?
reply
upvoteby sayamqazi17 hours ago|
parent|
prev|
next
[-]
> usage patterns

IMO interceptors are bad. they hide what might get transformed with the API call at the place it is being used.

> Likewise, every response I get is JSON. There's no reason to manually unwrap the response into JSON every time.

This is not true unless you are not interfacing with your own backends. even then why not just make a helper that unwraps as json by default but can be passed an arg to parse as something else

reply
upvoteby hiccuphippo11 hours ago|
parent|
prev|
[-]
One more use case for Axios is it automatically follows redirects, forwarding headers, and more importantly, omiting or rewriting the headers that shouldn't be forwarded for security reasons.
reply
upvoteby reactordev7 hours ago|
parent|
[-]
fetch automatically follows redirects, fetch will forward your headers, omitting or rewriting headers is how security breaks… now a scraper got through because it’s masquerading as Chrome.
reply
upvoteby mhio19 hours ago|
parent|
prev|
[-]
What does an interceptor in the RequestInit look like?
reply
upvoteby reactordev8 hours ago|
parent|
[-]
A wrapper function around fetch… that’s what interceptors are…
reply
upvoteby meekins19 hours ago|
parent|
prev|
[-]
It also supports proxies which is important to some corporate back-end scenarios
reply
upvoteby nathanmills19 hours ago|
parent|
[-]
fetch supports proxies
reply
upvoteby zadikian1 hours ago|
parent|
prev|
next
[-]
Right. Though I would've used the built in xhr then. Not going to install a dep just to make http calls.
reply
upvoteby nedt9 hours ago|
parent|
prev|
[-]
Before that we had node-fetch. If you already use a dependency why not one that's pretty much what will come natively to every JS runtime soon.
reply
upvoteby zarzavat9 hours ago|
parent|
[-]
The fetch API is designed for browsers. It's not designed for servers. Fetch may work for a particular use case on the server, it may not. Servers have needs over and above what a browser allows the client to do.
reply
upvoteby PunchyHamster11 hours ago|
prev|
next
[-]
> I can't even imagine the scale of the impact with Axios being compromised, nearly every other project uses it for some reason instead of fetch (I never understood why).

You can remember this answer for every time you ask same question again:

"Coz whatever else/builtin was before was annoying enough for common use cases"

reply
upvoteby benoau6 hours ago|
prev|
next
[-]
> (I never understood why).

I spent two years trying to get it out of a project that began long after Axios had become redundant but it's very hard to go back and challenge decisions like this because every business priority is aligned against this kind of work.

I expect libraries built on top of fetch will be the next to be compromised, because why would you use fetch without an arbitrary layer of syntactic sugar...

reply
upvoteby pyrolistical4 hours ago|
parent|
[-]
There was never the business value. But now remember this axios case and use it as ammo for the next issue. Just don’t abuse it
reply
upvoteby martmulx19 hours ago|
prev|
next
[-]
Does pnpm block postinstall on transitive deps too or just top-level? We have it configured at work but I've never actually tested whether it catches scripts from packages that get pulled in as sub-dependencies.
reply
upvoteby arcfour18 hours ago|
parent|
next
[-]
It prompts for transitive dependencies, too. I have never had workerd as a direct dependency of any project of mine but I get prompted to approve its postinstall script whenever I install cloudflare's wrangler package (since workerd needs to download the appropriate Workers runtime for your platform).
reply
upvoteby dawnerd19 hours ago|
parent|
prev|
[-]
From what I can tell, it blocks it everywhere.
reply
upvoteby martmulx14 hours ago|
parent|
[-]
That's solid, really helps lock down the supply chain attack surface. Do you ever end up having to whitelist anything that legitimately needs to run on install?
reply
upvoteby homebrewer12 hours ago|
parent|
[-]
After using pnpm for years (at least 5, don't remember exactly), I've only ever had to whitelist one library that uses a postinstall script to download a native executable for your system. And even this is not necessary, it's just poorly designed.

For example, esbuild and typescript 7 split binaries for different systems and architectures into separate packages, and rely on your package manager to pull the correct one.

reply
upvoteby eviks19 hours ago|
prev|
next
[-]
> Good news for pnpm/bun users who have to manually approve postinstall scripts.

Would they not have approved it for earlier versions? But also wouldn't the chance of addition automatic approval be high (for such a widely used project)?

reply
upvoteby arcfour18 hours ago|
parent|
next
[-]
The prompt would be to approve the new malicious package (plain-crypto-js)'s scripts, too, which could tip users off that something was fishy. If they were used to approving one for axios and the attackers had just overwrote axios's own instead of making a new package, it would probably catch people out.
reply
upvoteby bpev18 hours ago|
parent|
prev|
next
[-]
Assuming axios didn't have a postinstall script before, it wouldn't have been approved for a previous version. If you ignore it, you ignore it, but postinstall scripts are relatively rare in npm deps, so it would seem a bit out of place when the warning pops up.
reply
upvoteby h4ch118 hours ago|
parent|
prev|
[-]
Can't speak for other devs but I like to read postinstall scripts or at least put them through an LLM if they're too hard to grok.

It's also a little context dependent, for example if I was using Axios and I see a prompt to run the plain-crypto-js postinstall script, alarm bells would instantly ring, which would at least make me look up the changelog to see why this is happening.

In most cases I don't even let them run unless something breaks/doesn't work as expected.

reply
upvoteby TZubiri10 hours ago|
prev|
next
[-]
>(I never understood why).

Because axios existed before the builtin fetch, and so there's a lot of stackoverflow answers explaining how to use fetch, and the llm models are trained on that, so they will write axios requests instead of fetch

reply
upvoteby 19 hours ago|
prev|
[-]
deleted
reply