Skip to content
This repository has been archived by the owner on Mar 7, 2023. It is now read-only.

Can someone bump fbjs => isomorphic-fetch? (due to vulnerabilities w node-fetch) #106

Closed
alundiak opened this issue Sep 16, 2020 · 3 comments
Closed

Can someone bump fbjs => isomorphic-fetch? (due to vulnerabilities w node-fetch) #106

alundiak opened this issue Sep 16, 2020 · 3 comments
Labels
help wanted

Comments

@alundiak
Copy link

alundiak commented Sep 16, 2020
edited
Loading

image

isomorphic-fetch not yet published as new version. Details:
matthew-andrews/isomorphic-fetch#189

But when it does, would be good to bump fbjs package (assumably fbjs will be also upgraded).
@alundiak alundiak changed the title Can someone bump fbjs => isomorphic-fetch - node-fetch ? (due to vulnerabilities) Can someone bump fbjs => isomorphic-fetch? (due to vulnerabilities w node-fetch) Sep 16, 2020
@sangdth
Copy link

sangdth commented Nov 10, 2020

Look like fbjs get rid of isomorphic-fetch in recent version.

Screen Shot 2020-11-10 at 4 04 06 PM

@alundiak
Copy link
Author

alundiak commented Nov 16, 2020
edited
Loading

Quick update, so far I can confirm, that even I install below packages manually, it doesn't help me:

"fbjs": "^3.0.0", // I had 0.8.17
"isomorphic-fetch": "^3.0.0", // I had 2.2.1
"node-fetch": "^3.0.0-beta.9", // I had 2.6.1

I mean I installed it, lock file updated, I then rm -rf node_modules, then npm i so that fresh packages fetched based on updated lock file. And same result.

Looks like the only way is to upgrade react-foundation itself.

PS.

Looking to package-lock.json file

Installed now also:

"cross-fetch": {
      "version": "3.0.6",
      "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-3.0.6.tgz",
      "integrity": "sha512-KBPUbqgFjzWlVcURG+Svp9TlhA5uliYtiNx/0r8nv0pdypeQCRJ9IaSIc3q/x3q8t3F75cHuwxVql1HFGHCNJQ==",
      "dev": true,
      "requires": {
        "node-fetch": "2.6.1"
      },
      "dependencies": {
        "node-fetch": {
          "version": "2.6.1",
          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
          "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
          "dev": true
        }
      }
    },

fbjs now requores cross-fetch

"fbjs": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/fbjs/-/fbjs-3.0.0.tgz",
      "integrity": "sha512-dJd4PiDOFuhe7vk4F80Mba83Vr2QuK86FoxtgPmzBqEJahncp+13YCmfoa53KHCo6OnlXLG7eeMWPfB5CrpVKg==",
      "dev": true,
      "requires": {
        "cross-fetch": "^3.0.4",
        "fbjs-css-vars": "^1.0.0",
        "loose-envify": "^1.0.0",
....

isomorphic-fetch now requires :

"isomorphic-fetch": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-3.0.0.tgz",
      "integrity": "sha512-qvUtwJ3j6qwsF3jLxkZ72qCgjMysPzDfeV240JHiGZsANBYd+EEuu35v7dfrJ9Up0Ak07D7GGSkGhCHTqg/5wA==",
      "dev": true,
      "requires": {
        "node-fetch": "^2.6.1",
        "whatwg-fetch": "^3.4.1"
      },
      "dependencies": {
        "node-fetch": {
          "version": "2.6.1",
          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
          "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
          "dev": true
        },
....

And react-foundation itself:

"react-foundation": {
      "version": "0.9.6",
      "resolved": "https://registry.npmjs.org/react-foundation/-/react-foundation-0.9.6.tgz",
      "integrity": "sha512-mM2BdaQkc4eFWAWBse3KvxcRS9rUv/YVFrbQ3GiO3WkouWrYt/Gaph+QShZywn4JwCZ/mLXGvOx/sHUxqThALQ==",
      "requires": {
        "classnames": "^2.2.3",
        "fbjs": "^0.8.16",
        "prop-types": "^15.5.10"
      },
      "dependencies": {
        "fbjs": {
          "version": "0.8.17",
          "resolved": "https://registry.npmjs.org/fbjs/-/fbjs-0.8.17.tgz",
          "integrity": "sha1-xNWY6taUkRJlPWWIsBpc3Nn5D90=",
          "requires": {
            "core-js": "^1.0.0",
            "isomorphic-fetch": "^2.1.1",
            "loose-envify": "^1.0.0",
            "object-assign": "^4.1.0",
            "promise": "^7.1.1",
            "setimmediate": "^1.0.5",
            "ua-parser-js": "^0.7.18"
          },
          "dependencies": {
            "isomorphic-fetch": {
              "version": "2.2.1",
              "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz",
              "integrity": "sha1-YRrhrPFPXoH3KVB0coGf6XM1WKk=",
              "requires": {
                "node-fetch": "^1.0.1",
                "whatwg-fetch": ">=0.10.0"
              }
            }
          }
        },
        "node-fetch": {
          "version": "1.7.3",
          "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz",
          "integrity": "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ==",
          "requires": {
            "encoding": "^0.1.11",
            "is-stream": "^1.0.1"
          }
        }
      }
    },

And npm audit still have (even after fix:

image

@hugovk
Copy link
Contributor

hugovk commented Aug 12, 2021

This specific one is now fixed in master, so I'll close this. PRs welcome to fix any others!

@hugovk hugovk closed this as completed Aug 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sangdth @hugovk @alundiak