davidlehn
commented
2 years ago Thanks. We are aware the ky and ky-universal deps are very outdated. They were locked to the pre ESM only releases due to tooling and infrastructure issues. We're currently in the process of updating all our packages to modules and this will get updated along with other packages that depend on this.
johnwen84
dlongley
Hi, Our recent WhiteSource scan reported a a medium severity vulnerabilities from @digitalbazaar/http-client 2.0.1. The reason for this vulnerabilities is because it uses ky-universal 0.8.2 as a dependency, which uses node-fetch@3.0.0-beta.9. And node-fetch@3.0.0-beta.9 causes CVE-2022-0235. It seems that upgrading to the latest ky-universal (0.10.1) will solve this issue. Thanks