Fix #958: Update binary-install in package.json to fix security alert

[Rizary]

Make sure these boxes are checked! 📦✅

• You have the latest version of rustfmt installed

$ rustup component add rustfmt

• You ran cargo fmt on the code base before submitting
• You reference which issue is being closed in the PR text

This PR fixes #958.

✨✨ 😄 Thanks so much for contributing to wasm-pack! 😄 ✨✨

[Rizary]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wasm-pack [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wasm-pack > binary-install > axios                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┤

[EverlastingBugstopper]

this change should be verified before merging - I believe I changed the API just a tad with this release (sorry for making it only a patch release, should have at least done a minor version bump). verification can be done by running the commands with node install.js and node run.js

[magcius]

The API has indeed been changed -- just forcing an override of "0.1.1" in my package.json does not work.

[ctron]

Is there any plan to release this soon?

[Keavon]

Checking in on the status of updating this high-severity vulnerability. I'm hesitant to use wasm-pack as a dev dependency until it's fixed.

[magcius]

wasm-pack seems like it's unmaintained, unfortunately

[simlay]

@ashleygwilliams polite ping. This is a high severity vulnerability.

[Rizary]

I haven't got the chance to fix my PR. Anyone are welcome to give the code some fix.

[simlay]

I haven't got the chance to fix my PR. Anyone are welcome to give the code some fix.

I'm think your CI issue fixed in #983 or is there something else up?

[magcius]

The API of binary-install changed between the 0.0 and 0.1 versions.

[Keavon]

@Rizary can you mark this PR as a draft until either you may get the chance to fix the API incompatibility, or someone else can submit a PR which fixes it? We can worry about getting in touch with Ashley once there's something for her to approve and publish, or transfer the publication rights to the appropriate person such as @drager.

[simlay]

The API of binary-install changed between the 0.0 and 0.1 versions.

Ah yes, I missed this in the comments above. Here's the fix. I ran a test locally and it works. #1012.

[Keavon]

Thank you @simlay for the PR which fixes the issue by editing the usage of the API. I'm glad it was such a trivial change! For for the record, this PR is superseded by #1012. It probably wouldn't hurt to close it for clarity (@simlay @Rizary)?

I have also emailed @ashleygwilliams and I'll report back in a few days if I hear nothing. Feel free to also tweet at her, the Twitter handle is in her GitHub profile.