node-fetch vulnerability transitive from isomorphic-fetch

[lucasgonze]

🐛 Bug Report

According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1. This version of node-fetch has a vulnerability that is fixed in 2.6.7 and later.

isomorphic-fetch is abandoned. Consumers of isomorphic-fetch are moving to an alternative project, cross-fetch. babel-plugin-fbt-runtime should too.

To Reproduce

1. Add babel-plugin-fbt-runtime to a project
2. Run Dependabot against the downstream project
3. View alerts

Expected behavior

node-fetch should be at 2.6.7 or later

Link to repo (highly encouraged) or paste

For security reasons, I can't share this publically. Contact me offline (lucas@gonze.com).

Also...

I'd happily submit a patch but am baffled by the structure of this repo. LMK if you want the help.

[pkqinys]

According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1.

Hmm, that's different from what I saw. This issue exists in 0.9.5 - 0.9.18 because babel-plugin-fbt-runtime at that time depended on fbjs which in turn depends on isomorphic-fetch.

However, we recently removed fbjs dependency in https://github.com/facebook/fbt/pull/330/commits/e42ecd2acae7a31b0340bce29602f734533f483e and I believe this is no longer an issue

[lucasgonze]

Thank you for this helpful guidance, @pkqinys . I see that fbjs is gone in 0.10.0-rc5-beta. What is the stability of that version, given that it is only a release candidate? Can I pull it into production software?

It may be relevant that my work is also on a Facebook project.

[pkqinys]

I would recommend wait until we release the public version. babel-plugin-fbt@0.21.0-rc10-beta should be stable as it has been deployed to production at Meta for a while now. However babel-plugin-fbt-runtime@0.10.0-rc5-beta is not in production yet.