OpenAI's response to the Axios developer tool compromise
48 points
4 hours ago
| 3 comments
| openai.com
| HN
danscan
1 hour ago
[-]
Axios, like Express, is something I'm shocked to see used in any modern codebase. I loved both in the 2010s. In JS/TS-land there are much simpler and better options these days. Depending on Axios suggests the devs don't know how to use fetch. I can't think of another reason it would be a necessary dependency
reply
tommy_axle
49 minutes ago
[-]
I wouldn't go that far. Right tool for the job as always. Axios offers a lot over fetch for all but the simplest use cases plus you get to take advantage of the ecosystem. Need offline, axios-cache-interceptor already exists. Sure you can do all of those things with fetch but you need more to go with it taking you right back to just using axios. Also is no one annoyed that you can't replay fetch like the xhr? Same with express: solves a problem reliably.
reply
danpalmer
1 hour ago
[-]
If you want a fully built out network layer, with auth, logging, monitoring, policies, etc, then `fetch` doesn't really help. Axios and other libraries provide much more for building that sort of framework.
reply
internetter
57 minutes ago
[-]
Any sufficiently competent typescript developer can build out an adhoc wrapper (that just inherits the type definition and passes along whatever it is passed after altering it however needed) in under a hour. It doesn't scale in the sense that you don't expose a configuration, but config as code is king.

(Source: have built out much more scuffed variants of this than the one I just described like https://github.com/boehs/ajar)

I guess a LLM can do as well. Although that's not something I'm quite ready to admit.

reply
8n4vidtmkvmk
22 minutes ago
[-]
I've wrapped fetch a few times but i don't think I'd blame someone if they got tired of wrapping it and wanted a consistent interface across all the projects they work on.
reply
whattheheckheck
45 minutes ago
[-]
Keep developing it. Your taste and judgement matter
reply
jwilliams
1 hour ago
[-]
I do "just use fetch" nowadays -- but I have to say, axios definitely has better ergonomics than fetch, especially for calling APIs.
reply
sampullman
1 hour ago
[-]
I drag a tiny fetch wrapper around with error/json handling, timeouts and basic interceptor support. It doesn't cover everything axios does but it's nice enough and I haven't had to touch it in a couple years.

For reference: https://github.com/sampullman/fetch-api/blob/main/lib/fetchA...

reply
nurettin
1 hour ago
[-]
When the vulnerability was announced, it took me two minutes to one-shot convert an entire legacy project from axios to fetch (it already wrapped api calls neatly), react cra to vite, update all dependencies, convert to deep imports to reduce bundle size and get zero npm warnings while fetching coffee. There is just no excuse to use it.
reply
chvid
1 hour ago
[-]
ChatGPT in general recommends axios over fetch. (At least it did about 2 months ago)
reply
internetter
50 minutes ago
[-]
This is why people still need to know how to write code and why it is asinine to have an LLM write code without a human reading it. Good developers should know what good code looks like and push back when what they're fed is wrong.
reply
ariwilson
38 minutes ago
[-]
What's wrong with Express?
reply
internetter
32 minutes ago
[-]
Just slow and convoluted internals due to the accumulation of cruft over time
reply
koolba
20 minutes ago
[-]
What’s wrong with express?
reply
fortuitous-frog
2 hours ago
[-]
Interesting that (1) this blog post published on April 10th, 10 days after the Axios compromise, and (2) this was emailed to ChatGPT / Codex users yesterday, April 21st, 11 days after the blog post...

After an incident as widely publicized as Axios, I'd expect dependency auditing, credential rotation, and public incident communication to all be carried out with much more urgency. And if they were going to send this out to all of their users (as they should), I would expect _that_ to happen shortly after publishing the post (why wait 11 days???).

reply
himata4113
1 hour ago
[-]
"April 10, 2026"

I don't blame you, took me awhile to find the date.

reply
mrcwinn
1 hour ago
[-]
Above and beyond post. This is good.
reply