Closed tmpayton closed 1 week ago
Context: https://github.com/springload/draftail/issues/456 https://github.com/springload/draftail/issues/454 https://github.com/springload/draftail/issues/138 https://github.com/springload/draftail/issues/213 Draftail is not ready to upgrade to 0.11. Maintainers' comment states that the security concerns from fbjs, a large polyfill and utility library don’t end up being used in Draft.js / Draftail.
Affecting node-fetch package, versions <2.6.7 >=3.0.0 <3.1.1
How to fix? Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
Upgrade draft-js@0.10.5 to draft-js@0.11.7 to fix
Overview node-fetch is a light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.
Completion Criteria