judehansen
commented
1 year ago will this get merged? 3.1.5 still has node-fetch 2.6.7
Closed bijesh closed 1 year ago
judehansen
commented
1 year ago will this get merged? 3.1.5 still has node-fetch 2.6.7
YokkiShi
commented
1 year ago Hi @bijesh just wonder when will this PR get merged? Since CVE-2022-2596 (Medium) was detected in node-fetch-2.6.7.tgz
bijesh
commented
1 year ago @YokkiShi sorry I don't have permission to merge this pull request
bijesh
commented
1 year ago @lquixada are you please able to to merge this PR or suggest anyone who can do the merge.
CarlosRGL
commented
1 year ago Hello @lquixada, can you please consider merging this PR? It's quite needed. Thanks
rwlodarczyk-xealth
commented
1 year ago @lquixada, can you merge this PR and release a new version of cross-fetch, please?
lquixada
commented
1 year ago node-fetch from v3 is an ESM-only module and cross-fetch is CommonJS compatible. If there's a security issue, a patch should be requested on node-fetch v2.x. FWIW cross-fetch@3.1.6 was released this morning with node-fetch@2.6.11.
There is some vulnerabilities found in the node-fetch package https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d https://cwe.mitre.org/data/definitions/400