search

invertase / stripe-firebase-extensions

Repository of Firebase Extensions built by Stripe.
https://firebase.google.com/products/extensions
Apache License 2.0
431 stars 162 forks source link

Fixing CVE-2022-0235 #521

Open AndreaF17 opened 1 year ago

AndreaF17 commented 1 year ago

CVE report

Issue

I set up the project with the "@stripe/firestore-stripe-payments" (suggested by Firebase) and I noticed that it has a high CVE (CVE-2022-0235) because it uses a vulnerable version of node-fetch.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Go to React/Next js project directory on Terminal
  2. run: npm i @stripe/firestore-stripe-payments
  3. run: npm audit

Output: 

# npm audit report

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
No fix available
node_modules/@stripe/firestore-stripe-payments/node_modules/node-fetch
  @firebase/auth  <=0.0.900-exp.f919db6a9 || 0.17.0-20217250818 - 0.19.6
  Depends on vulnerable versions of node-fetch
  node_modules/@stripe/firestore-stripe-payments/node_modules/@firebase/auth
    @stripe/firestore-stripe-payments  *
    Depends on vulnerable versions of @firebase/auth
    node_modules/@stripe/firestore-stripe-payments

3 high severity vulnerabilities
Drewsive01010101 commented 4 months ago

I am having the same issue.