Dependency gaxios was archived - migration needed/advised #520
Description
Foreword
I wasn't entirely certain which category this falls under - realistically it's not a bug and it's not a pressing security issue, but it's not really a feature request either. It's more of a flag/warning; so feel free to recategorise.
Description
What happened?
The gaxios package, which this project directly depends on (gaxios@^7.1.3), was archived by its owner on January 3, 2026. The repository is now read-only and will no longer receive updates, bug fixes, or security patches.
Why does this matter?
- Security risk: Archived dependencies won't receive security updates
- Deprecation warnings: The gaxios dependency chain includes deprecated packages:
gaxios→node-fetch→fetch-blob→node-domexceptionnode-domexceptionis deprecated (Node.js 18+ has nativeDOMException)- Node.js 18 itself is no longer in active support (even from a security perspective)
- Ecosystem health: Both
node-fetch(last release Nov 2023) andfetch-blob(last release May 2023) appear to be unmaintained
Current dependency chain
@google-cloud/cloud-sql-connector
└── gaxios@^7.1.3 (ARCHIVED)
└── node-fetch@^3.3.2 (stale)
└── fetch-blob (abandoned)
└── node-domexception (deprecated)
Suggested migration path
Node.js 18+ includes native fetch support. Migrating to native fetch would:
- Remove the dependency on the archived
gaxiospackage - Eliminate the entire deprecated dependency chain
- Reduce bundle size
- Improve long-term maintainability
Environment
@google-cloud/cloud-sql-connectorversion: 1.8.4 (latest at time of writing)- Node.js: 20.x / 22.x
Additional context
This was discovered while investigating npm deprecation warnings in a project using firebase-tools, which depends on @google-cloud/cloud-sql-connector.
The deprecation warning during npm install:
npm warn deprecated node-domexception@1.0.0: Use your platform's native DOMException instead
There is an open issue in firebase-tools that provides a more thorough dependency tree