Security alert on node-fetch@1.7.3

[scinos]

The version we use is affected by CVE-2020-15168.

This is not critical for us, because as the advisor says: "For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size" and that is not our case.

I did a little investigation to see where node-fetch@1.73. is in our dependency tree, in case we want to eventually drop it:

• node-fetch@^1.0.1
  • isomorphic-fetch@^2.1.1
    • fbjs@^0.8.0
      • flux@^3.1.3
        • client/package.json
      • create-react-context@^0.2.3
        • react-live@^1.12.0
          • client/package.json
    • fbjs@^0.8.4
      • fbemitter@^2.0.0
        • flux@^3.1.3
          • client/package.json
      • "react-addons-create-fragment@^0.14.3 || ^15.1.0"
        • interpolate-components@^1.1.1
          • packages/i18n-calypso/package.json
      • react-addons-shallow-compare@^15.6.2
        • react-dates@^17.1.1
          • "@wordpress/components@*", "@wordpress/components@^9.6.0"
          • "@wordpress/components@^10.0.5"
    • fbjs@^0.8.9
      • create-react-class@^15.6.3
        • apps/notifications/package.json
        • client/package.json
  • isomorphic-fetch@^2.2.1
    • packages/calypso-polyfills/package.json
• node-fetch@^1.7.2
  • "@xmpp/resolve@^0.3.0"
    • "@xmpp/plugins@^0.3.0"
      • xmpp.js@^0.3.0
        • test/e2e/package.json

[github-actions[bot]]

This issue is stale because it has been 180 days with no activity. You can keep the issue open by adding a comment. If you do, please provide additional context and explain why you’d like it to remain open. You can also close the issue yourself — if you do, please add a brief explanation and apply one of relevant issue close labels.