department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:

https://depo-platform-documentation.scrollhelp.site/index.html

279 stars 195 forks source link

(HIGH) - node-fetch forwards secure headers to untrusted sites #80583

Open pjhill opened 3 months ago

pjhill commented 3 months ago

Description

https://github.com/department-of-veterans-affairs/vets-website/security/dependabot/27

Acceptance Criteria

[ ] node-fetch has been upgraded to a patched version and dependabot is no longer flagging it

IGallupSoCo commented 2 months ago

This may be blocked by a dependency that starts breaking things with vets-website's current node version (14.15.0)

IGallupSoCo commented 2 months ago

The current vulnerability is tied to a <2.6 node-fetch dependency from isomorphic-fetch. Updating isomorphic-fetch to 3.0.0, which would update its node-fetch dependency requirement to ^2.0, breaks husky during the yarn install command, and appears to be tied to the current node.js version we use.