Closed paimon0715 closed 3 years ago
How can I pull a request to cross-fetch's v2.2.* branch to fix this issue?
Thanks again.
hi @paimon0715 ! thanks for reporting that! version 2.2.5
has just been published with node-fetch@2.6.1
. Please check it out if it works for you.
@lquixada Thanks for your understanding and help!
Hi ,@lquixada @jstewmon , there is a vulnerability issue in cross-fetch:
Issue Description
A vulnerability CVE-2020-15168 detected in package node-fetch (<2.6.1,>=3.0.0-beta.1 <3.0.0-beta.9) is directly referenced by cross-fetch 2.2.3. We noticed that such a vulnerability has been removed since cross-fetch 3.0.6.
However, cross-fetch's popular previous version cross-fetch 2.2.3 (240,898 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 1,782 downstream projects, e.g., web3-provider-engine 16.0.1, ganache-core 2.13.2, @walletconnect/web3-provider 1.4.1, @ethereum-waffle/chai 3.4.0, @ethereum-waffle/provider 3.4.0, @braum/plugin-filter-unauthed@0.1.2, @cogitojs/cogito@0.2.18, etc.). As such, issue CVE-2020-15168 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade cross-fetch from version 2.2.3 to 3.*.* . For instance, cross-fetch 2.2.3 is introduced into the above projects via the following package dependency paths: (1)
@braum/plugin-filter-unauthed@0.1.2 ➔ braum@0.1.2 ➔ cross-fetch@2.2.3 ➔ node-fetch@2.1.2
(2)@cogitojs/cogito@0.2.18 ➔ @cogitojs/telepath-js@0.2.23 ➔ cross-fetch@2.2.3 ➔ node-fetch@2.1.2
........
The projects such as braum and @cogitojs/telepath-js which introduced cross-fetch@2.2.3 are not maintained anymore. These unmaintained packages can neither upgrade cross-fetch nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package cross-fetch@2.2.3?
Sorry for the inconvenience caused.
Suggested Solution
Since these unactive projects set a version constaint **~2.2.* for cross-fetch on the above vulnerable dependency paths, if cross-fetch removes the vulnerability from 2.2.3 and releases a new patched version cross-fetch 2.2.4**, such a vulnerability patch can be automatically propagated into the 1,782 affected downstream projects.
In cross-fetch 2.2.4, you can kindly try to perform the following upgrade:
node-fetch 2.1.2 ➔ 2.6.1
;Note: node-fetch@2.6.1 (>=2.6.1 <3.0.0, >=3.0.0) has fixed the vulnerability (CVE-2020-15168)
Thanks again for your help.
Best regards, Paimon