Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump node-fetch to 2.6.7 to resolve security issue #204

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

roberttaylor426
Copy link

@roberttaylor426 roberttaylor426 commented Jan 22, 2022

See here and here.

Addresses #202.

@gthrm
Copy link

gthrm commented Jan 24, 2022

@matthew-andrews Hi! Please merge this PR. It's very important for some packages, which depends on this

@scalixte-mdsol
Copy link

How soon until this PR get merged? Does this update also require a version?

Copy link

@scalixte-mdsol scalixte-mdsol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I look forward to this update.

@ryami333
Copy link

@matthew-andrews could you please comment on the status of this high-severity security issue?

@gcruchon
Copy link

gcruchon commented Feb 1, 2022

Hey all... is this library still maintained?

With 6.6M download each week, I hoped so... but I don't see any PR not release for 1.5 year... Is there still a hope?

cc @Jxck

@roberttaylor426
Copy link
Author

@gcruchon I share your concerns.

FWIW due to the lack of response here I've since switched to cross-fetch as suggested in this project's README. Transition was straightforward.

@JCMartell
Copy link

@roberttaylor426 @matthew-andrews Any updates on if this PR will complete or not? We have nested dependencies (dependency of a dependency) that uses this package. This PR would resolve one of our security issue that we can't really fix otherwise.

Copy link

@philc-homehub philc-homehub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good change. Let's merge!

@joshuaball
Copy link

Any ETA for this merge?

@knoxgon
Copy link

knoxgon commented Jan 2, 2023

Year 2023 and still, the PR has not been merged... We're stuck with the security warning forever I guess...

@quanghuynh1502
Copy link

@matthew-andrews please merge

@matthew-andrews
Copy link
Owner

i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?

https://jubianchi.github.io/semver-check/#/^2.6.1/2.6.7
Screenshot 2023-02-27 at 10 37 47 pm

@quanghuynh1502
Copy link

i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?

https://jubianchi.github.io/semver-check/#/^2.6.1/2.6.7 Screenshot 2023-02-27 at 10 37 47 pm

Sorry if I made you confuse. All I need is a patch or minor version of isomorphic-fetch@2 due to some package that use the ^2.x.x version and we cannot upgrade it to use your isomorphic-fetch@3. Please let me know if it is valid.
Thanks

@matthew-andrews
Copy link
Owner

hmm, this pull request is not really going to help for v2 because version v2 relies on node-fetch v1.x.x/whatwg-fetch v0.x.x … the only change between v2 and v3 is this upgrade to use the later versions of node-fetch(v2.x.x)/whatwg-fetch(v3.x.x) so that doesn't really make sense.

is there a version of node-fetch from the v1.x.x that passes your security check? i guess not …

probably the more correct thing to do is upgrade to the v3 branch of isomorphic-fetch … and get fbjs to upgrade also.

@matthew-andrews
Copy link
Owner

just to prove this pull request is not necessary:

% mkdir test
% cd test
% echo {} > package.json
% npm install --save isomorphic-fetch

added 6 packages, and audited 7 packages in 577ms

found 0 vulnerabilities
% npm ls --all
test@ /Users/matthewandrews/repos/test
└─┬ [email protected]
  ├─┬ [email protected]
  │ ├── UNMET OPTIONAL DEPENDENCY encoding@^0.1.0
  │ └─┬ [email protected]
  │   ├── [email protected]
  │   └── [email protected]
  └── [email protected]

as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch

Copy link

@marck283 marck283 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NPM's node-fetch package versions until 3.2.10 are subject to a MaxListenersExceededWarning: Possible EventEmitter memory leak detected warning and to a Regular Expression Denial of Service bug. Therefore, I think that node-fetch should be upgraded to version 3.2.10 instead of 2.6.7, since the former is the earliest non-vulnerable version of that package.

@rjstanford
Copy link

as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch

The issue is that some of us with legacy code to maintain cannot easily update our intermediate dependencies, which leaves us requiring a 2.x branch of isomorphic-fetch; if a point release of the 2.x version could be made that updated this dependency it would bring a lot of older applications up to more secure code.

@dejan-lukic
Copy link

dejan-lukic commented Sep 3, 2024

@matthew-andrews you're right in saying that this PR will not resolve the issue at hand. @rjstanford is right; what needs to happen is we need a new v2.2.2 release of the isomorphic-fetch package on npm, where node-fetch is bumped up to at least v2.6.7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.