vidyashv-carbon
commented
1 year ago Any update on this issue?
Closed vidyashv-carbon closed 1 year ago
vidyashv-carbon
commented
1 year ago Any update on this issue?
rakeshp89
commented
1 year ago Hi @lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR https://github.com/lquixada/cross-fetch/pull/144
Thanks in advance, Rakesh
vidyashv-carbon
commented
1 year ago This was marked as ignored or false from the team and it auto resolved.
On Wed, Aug 24, 2022 at 7:28 PM rakeshp89 @.***> wrote:
Hi @lquixada https://github.com/lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR #144 https://github.com/lquixada/cross-fetch/pull/144
Thanks in advance, Rakesh
— Reply to this email directly, view it on GitHub https://github.com/lquixada/cross-fetch/issues/143#issuecomment-1225765574, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJKCKFE5HAUK2RTTLSIUV3V2YTBPANCNFSM557VJXGA . You are receiving this because you authored the thread.Message ID: @.***>
--
Thanks & Regards Vidyashri
katsoohoo
commented
1 year ago Can we get an estimate on when this issue will be addressed?
dev-trilobyte
commented
1 year ago new fixed version of node-fetch@2.6.8 is finally released. Current package.json of cross-fetch allows update from 2.6.7 to new 2.6.8 to resolve this warnings.
@lquixada - can you please release a new bugfix version to (3.1.6?) with this new dependency? Published version 3.1.5 is hard-coded to 2.6.7 unfortunately...
sseide
commented
1 year ago New node-fetch version 2.6.8 fixing this issue is released. @lquixada can you please update your package.json to use 2.6.8 instead of hard-coded 2.6.7 and release a new bugfix version with this minimal fix?
Thank in advance
lquixada
commented
1 year ago Will close this since author reported issue as ignored or false. Also CVE-2022-2596 seems to be related to node-fetch >= 3.0.0, < 3.2.10 which cross-fetch doesn't rely on.
This was marked as ignored or false from the team and it auto resolved. … On Wed, Aug 24, 2022 at 7:28 PM rakeshp89 @.> wrote: Hi @lquixada https://github.com/lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR #144 <#144> Thanks in advance, Rakesh — Reply to this email directly, view it on GitHub <#143 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJKCKFE5HAUK2RTTLSIUV3V2YTBPANCNFSM557VJXGA . You are receiving this because you authored the thread.Message ID: @.> -- Thanks & Regards Vidyashri
lquixada
commented
1 year ago @dev-trilobyte @sseide cross-fetch@3.1.6 has been released this morning with node-fetch@2.6.11. Hopefully that will help you both.
white source is reporting CVE-2022-2596 issue for node-fetch 2.6.7. Please update note-fetch to 3.2.10 ,more details on issue
Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.
Publish Date: 2022-08-01
URL: CVE-2022-2596
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2596
Release Date: 2022-08-01
Fix Resolution: node-fetch - 3.2.10