node-fetch - npm install vunerability

justadudewhohacks / face-api.js

JavaScript API for face detection and face recognition in the browser and nodejs with tensorflow.js

MIT License

16.53k stars 3.68k forks source link

node-fetch - npm install vunerability #713

Open dinoluck opened 3 years ago

dinoluck commented 3 years ago

After installing face-api.js npm returns low vulnerability that can't be fixed. Output of npm audit:

Low           Denial of Service                               
Package       node-fetch                                      
Patched in    >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9         
Dependency of face-api.js                                     
Path          face-api.js > @tensorflow/tfjs-core > node-fetch

Running npm audit fix fails.

JefferyHus commented 3 years ago

Have you tried npm audit fix --force?

dinoluck commented 3 years ago

Have you tried npm audit fix --force?

No, mostly because I saw node-fetch causing issues for other people with other packages when I was looking into it.

JefferyHus commented 3 years ago

This issue is related to packages depending on node-fetch, to not update their modules and end up with vulnerabilities. But it makes sense because they have to read the new updates of node-fetch in order to maintain a stable package.

I believe that using --force flag will get rid of the vulnerability but will create other issues with your face-api package.

You have two options:

Wait face-api contributors to fix it
Fix it and open a PR (win-win situation)

vladmandic commented 3 years ago

I've updated all packages and switched to TFJS 2.0 branch in my fork if you want to try
https://github.com/vladmandic/face-api