Tag a new version with the security fix

[atuttle]

I see that you updated your node-fetch dependency a couple of hours ago to fix a minor security vulnerability. I'm here looking for an updated version because I received the same vulnerability notification from :octocat:... So I'm probably not the only one looking for a new version of isomorphic-fetch that I can slap into my package.json to make the alert go away. :)

[yizhiheng]

yes, please fix this 🙏

[AndrijBartenev]

Yes, that would be really great!

[matthew-andrews]

Ah yes indeed, this is the plan … have you tested it … are you confident that it works for you all?

[shanytc]

Would be great for a new release with node-fetch updated

[cberg-zalando]

@matthew-andrews As it is still a new version and due to node's dependency mechanism users will not directly update if they don't actively do it via package.json or recreating a lockfile, I would say, just release it.

[a-reuss]

Dear @matthew-andrews, as @cberg-zalando mentioned, nobody has to apply the new version and we (our team) would really appreciate you to release an updated version of isomorphic-fetch as it is the only simple way to keep our live product secure. We really do rely on this.

Thanks and with best regards

[lkuechler]

@matthew-andrews I just tested it in one of my projects. I cloned the repository and linked it as a resolution in my project.

With the new version everything worked the same as before. This is obviously not an in depth test but maybe already gives some more certainty.

[bertold]

Could you, please, release the new version. The last released version 2.2.1 is from 5 years ago.

[vzaidman]

+1

[shanytc]

@matthew-andrews when a new tag release?

[matthew-andrews]

Thanks for your testing @lkuechler … it matches what I see.

It has been published at v3.0.0 as the underlying dependencies (node-fetch and the fetch browser polyfill) have been pulled from new major versions.

% npm publish
+ isomorphic-fetch@3.0.0