Closed dependabot[bot] closed 4 years ago
This is an important security release. It is strongly recommended to update as soon as possible.
Has this update been published?
@matthew-andrews would you be able to push this new change in a release to NPM? Our CI fails on yarn audit
because of this.
@matthew-andrews please npm publish
to npm registry, so we could install isomorphic-fetch@2.2.2
(I assume).
https://www.npmjs.com/package/isomorphic-fetch - latest for now is 2.2.1
.
UPD. I use legacy project codebase, which currently use react-foundation@0.9.6
, and we use React v 16.10.0
. Considering I see, package.json for react-foundation: fbjs": "^0.8.16", "react": "^0.14.7", "react-dom": "^0.14.7"
and year 2018 of latest release, that component is rather old or not maintained frequently. So don't get me wrong - it's only my work-project-related concern, because I recently received npm audit
results about node-fetch
. For my private projects I wouldn't use React Foundation, and I wouldn't concern neither about fbjs
or isomorphic-fetch
.
@alundiak it will be a breaking change so it will be 3.0.0 … but i haven't heard a single person confirm that they've tested it from the master branch and have found it to work properly for them … … …
I agree with @alundiak it will need to be 2.2.2 if it is going to fix the issue with fbjs.
Many react package use an older version of fbjs which uses isomorphic-fetch major version 2, so if you bump the major version than this will not be resolved.
For example create-react-class
has this issue, and it will never be updated, so a major bump would effectively kill that package.
Looks like facebook team is hoping that you cut a 2.x patch for this issue: https://github.com/facebook/react/issues/19840#issuecomment-694592664
I'm not very familiar with React … why wouldn't create-react-class
be updated?
create-react-class
has removed there code from the repo expecting to never make another build: https://github.com/reactjs/reactjs.org/issues/2189
Also see discussion: https://github.com/facebook/react/issues/19840#issuecomment-697375798
Its best if you do a 2.2.2 patch release
Bumps node-fetch from 1.7.3 to 2.6.1.
Release notes
Sourced from node-fetch's releases.
Changelog
Sourced from node-fetch's changelog.
Commits
b5e2e41
update version number2358a6c
Honor thesize
option after following a redirect and revert data uri support8c197f8
docs: Fix typos and grammatical errors in README.md (#686)1e99050
fix: Change error message thrown with redirect mode set to error (#653)244e6f6
docs: Show backers in README6a5d192
fix: Properly parse meta tag when parameters are reversed (#682)47a24a0
chore: Add opencollective badge7b13662
chore: Add funding link5535c2e
fix: Check for global.fetch before binding it (#674)1d5778a
docs: Add Discord badgeMaintainer changes
This version was pushed to npm by akepinski, a new releaser for node-fetch since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/matthew-andrews/isomorphic-fetch/network/alerts).