npm audit fails with security vulnerability in axios dependency

[Walfisch]

ACTUAL BEHAVIOR

npm audit fails with security vulnerability in axios dependency

STEPS TO REPRODUCE

$ npm i -S @inplayer-org/inplayer.js@3.12.0
npm WARN deprecated fingerprintjs2@2.1.4: Package has been renamed to @fingerprintjs/fingerprintjs. Install @fingerprintjs/fingerprintjs to get updates.
npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

added 69 packages, and audited 70 packages in 8s

12 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/axios
  @inplayer-org/inplayer.js  >=3.0.0-beta.0
  Depends on vulnerable versions of axios
  node_modules/@inplayer-org/inplayer.js

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[Walfisch]

This is still true for 3.12.4

$ npm audit
# npm audit report

axios  <=0.21.1
Severity: high
Incorrect Comparison in axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Server-Side Request Forgery in Axios - https://github.com/advisories/GHSA-4w2v-q235-vp99
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/axios
  @inplayer-org/inplayer.js  >=0.3.22
  Depends on vulnerable versions of aws-iot-device-sdk
  Depends on vulnerable versions of axios
  node_modules/@inplayer-org/inplayer.js

follow-redirects  <=1.14.7
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/follow-redirects
  axios  <=0.21.1
  Depends on vulnerable versions of follow-redirects
  node_modules/axios
    @inplayer-org/inplayer.js  >=0.3.22
    Depends on vulnerable versions of aws-iot-device-sdk
    Depends on vulnerable versions of axios
    node_modules/@inplayer-org/inplayer.js

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install @inplayer-org/inplayer.js@2.13.9, which is a breaking change
node_modules/minimist
  aws-iot-device-sdk  *
  Depends on vulnerable versions of minimist
  node_modules/aws-iot-device-sdk
    @inplayer-org/inplayer.js  >=0.3.22
    Depends on vulnerable versions of aws-iot-device-sdk
    Depends on vulnerable versions of axios
    node_modules/@inplayer-org/inplayer.js

5 high severity vulnerabilities

[Walfisch]

This is still true for 3.12.6