Alternatives?

[Lomilar]

Context: We're a downstream consumer of this library, and the lack of security updates are making folks nervous.

So the last commit to this software was 10 months ago, and we're looking at suggesting that linkeddata/rdflib.js pick up an alternative library or pursue some other path.

Is anyone aware of a fork that is being supported and published to npm?

I see https://www.npmjs.com/package/@segment/cross-fetch but I'm not sure if it is a pocket release or if there's more there.

Sorry to have this conversation. It's being driven by Secops.

Reasons: https://github.com/lquixada/cross-fetch/issues/143 https://github.com/lquixada/cross-fetch/pull/144

[sokraflex]

We're using cross-fetch in many internal libraries, and #117 is critical; currently, many of our libraries are failing due to missing DNS caching when using node-fetch.

[rwlodarczyk-xealth]

We have the same concerns here. If this package updates itself to use node-fetch 3.2.10, that would be tremendously helpful. Please see the CVE that discusses the security issue.

[rwlodarczyk-xealth]

@lquixada, can you provide an update on this and fixing security issues in general?

[parithibang]

@rwlodarczyk-xealth @lquixada May I know the update on this ticket as we are consuming this package and this is blocked for security issue.

Ref: https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7/ https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/

[rwlodarczyk-xealth]

@lquixada Friendly reminder about this security issue. Any update?

[lquixada]

Starting from v3, node-fetch is an ESM-only module while cross-fetch is CommonJS compatible. If there's a security issue, a patch should be requested on node-fetch v2.x. FWIW cross-fetch@3.1.6 was recently released with node-fetch@2.6.11.