According to https://github.com/node-fetch/node-fetch/pull/1611 earlier versions of node fetch are vulnerable to DOS when the the user can manipulate the url referrer. While the user of this app wont be able to do this, it does not make sense to keep a vulnerable version when none of the changes affect usability.
Tasks to be done:
Create a branch where node-fetch is update to a non-vulnerable version
Test it and assess if there are any functionality issues.
If not then send a pr as is, else comment here and create a new issue about such issues with node-fetch which can then be referenced when a pr gets sent with fixes.
According to https://github.com/node-fetch/node-fetch/pull/1611 earlier versions of node fetch are vulnerable to DOS when the the user can manipulate the
urlreferrer. While the user of this app wont be able to do this, it does not make sense to keep a vulnerable version when none of the changes affect usability.Tasks to be done: