search

11ty / eleventy-fetch

Utility to cache any remote asset: Image, Video, Web Font, CSS, JSON, etc
https://www.11ty.dev/docs/plugins/fetch/
144 stars 19 forks source link

`node-fetch` 2.6.1: security alert (CVE-2022-0235) #17

Closed brycewray closed 2 years ago

brycewray commented 2 years ago

The presence of node-fetch 2.6.1 in eleventy-cache-assets is triggering GitHub's Dependabot alerts regarding CVE-2022-0235. Apparently nothing earlier than 3.1.1 is considered safe.

zachleat commented 2 years ago

Hey, I do have plans to update this explicitly but just as disclosure 2.6.7 is also patched and will be applied on a clean install per ^ install rules.

See also https://github.com/node-fetch/node-fetch/blob/HEAD/docs/v3-UPGRADE-GUIDE.md#converted-to-es-module

zachleat commented 2 years ago

Fixed by https://github.com/11ty/eleventy-cache-assets/commit/44c7612f6f897c7e94fa8874271019a686ca6e83 will ship with 2.3.1