Closed johnwen84 closed 2 years ago
Thanks. We are aware the ky
and ky-universal
deps are very outdated. They were locked to the pre ESM only releases due to tooling and infrastructure issues. We're currently in the process of updating all our packages to modules and this will get updated along with other packages that depend on this.
@davidlehn this sounds great. Do you have a timeline of when this fix will be available?
Resolved in version 3.x (via PR #21).
Hi, Our recent WhiteSource scan reported a a medium severity vulnerabilities from @digitalbazaar/http-client 2.0.1. The reason for this vulnerabilities is because it uses ky-universal 0.8.2 as a dependency, which uses node-fetch@3.0.0-beta.9. And node-fetch@3.0.0-beta.9 causes CVE-2022-0235. It seems that upgrading to the latest ky-universal (0.10.1) will solve this issue. Thanks