CVE-2020-15168 found in node-fetch@1.7.3

[leonidio-com]

CVE-2020-15168 found in node-fetch@1.7.3 CVE-2020-15168 is fixed in "node-fetch": "^2.6.1" Is there a chance to update it in flux? +-- flux@3.1.3 | +-- fbemitter@2.1.1 | | -- fbjs@0.8.17 deduped |-- fbjs@0.8.17 | +-- core-js@1.2.7 | +-- isomorphic-fetch@2.2.1 | | +-- node-fetch@1.7.3

[jigalovd]

we have same issue with node-fetch@1.7.3 any update?

[TomBrien]

facebook/docusaurus also has this vulnerability for the same reason. Bumping fbjs (currently two major versions behind) would fix

[hugoboos]

Appreciated if this is fixed.

[Kenzku]

Hej, I saw the release number is still 3.1.3 but that was nearly 3 years ago. Any plan for a minor release please?

[yangshun]

Yeah we'll try to make a release this week.

[janetwang1]

Yeah we'll try to make a release this week.

any update on this issue? will you be able to make a release soon?

Thanks

Janet

[yangshun]

It has been released

[Kenzku]

@yangshun how about this: https://github.com/facebook/fbjs/issues/412

[leonidio-com]

@yangshun I am still seeing this here:

+-- flux@4.0.0
| +-- fbemitter@2.1.1
| | `-- fbjs@0.8.17
| |   +-- core-js@1.2.7
| |   +-- isomorphic-fetch@2.2.1
| |   | +-- node-fetch@1.7.3

I was thinking the whole point of this issue was to make node-fetch >= 2.6.1 Is there a chance we could address that?

[yangshun]

We need fbemitter to upgrade the fbjs version it uses but it has already been archived. I'll see what I can do internally to maybe upgrade fbemitter.

[Kenzku]

@yangshun Thanks for investigating on it

[yangshun]

I got fbemitter unarchived, upgraded deps and published v3.0.0. Then I updated flux to use fbemitter@3.0.0 and released v4.0.1.

Should be fine now!

[Kenzku]

@yangshun thanks so much. I will sync up with my team the next working day.