[Snyk: Med] Information Exposure (Due: 07/29/24)

[tmpayton]

Affecting node-fetch package, versions <2.6.7 >=3.0.0 <3.1.1

How to fix? Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

Upgrade draft-js@0.10.5 to draft-js@0.11.7 to fix

Overview node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Completion Criteria

• [ ] Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

[cnlucas]

Context: https://github.com/springload/draftail/issues/456 https://github.com/springload/draftail/issues/454 https://github.com/springload/draftail/issues/138 https://github.com/springload/draftail/issues/213 Draftail is not ready to upgrade to 0.11. Maintainers' comment states that the security concerns from fbjs, a large polyfill and utility library don’t end up being used in Draft.js / Draftail.