gthrm
commented
2 years ago @matthew-andrews Hi! Please merge this PR. It's very important for some packages, which depends on this
Open roberttaylor426 opened 2 years ago
gthrm
commented
2 years ago @matthew-andrews Hi! Please merge this PR. It's very important for some packages, which depends on this
scalixte-mdsol
commented
2 years ago How soon until this PR get merged? Does this update also require a version?
ryami333
commented
2 years ago @matthew-andrews could you please comment on the status of this high-severity security issue?
gcruchon
commented
2 years ago Hey all... is this library still maintained?
With 6.6M download each week, I hoped so... but I don't see any PR not release for 1.5 year... Is there still a hope?
cc @jxck
roberttaylor426
commented
2 years ago @gcruchon I share your concerns.
FWIW due to the lack of response here I've since switched to cross-fetch as suggested in this project's README. Transition was straightforward.
JCMartell
commented
2 years ago @roberttaylor426 @matthew-andrews Any updates on if this PR will complete or not? We have nested dependencies (dependency of a dependency) that uses this package. This PR would resolve one of our security issue that we can't really fix otherwise.
joshuaball
commented
2 years ago Any ETA for this merge?
knoxgon
commented
1 year ago Year 2023 and still, the PR has not been merged... We're stuck with the security warning forever I guess...
quanghuynh1502
commented
1 year ago @matthew-andrews please merge
matthew-andrews
commented
1 year ago i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?
https://jubianchi.github.io/semver-check/#/^2.6.1/2.6.7
quanghuynh1502
commented
1 year ago i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?
Sorry if I made you confuse. All I need is a patch or minor version of isomorphic-fetch@2 due to some package that use the ^2.x.x version and we cannot upgrade it to use your isomorphic-fetch@3. Please let me know if it is valid. Thanks
matthew-andrews
commented
1 year ago hmm, this pull request is not really going to help for v2 because version v2 relies on node-fetch v1.x.x/whatwg-fetch v0.x.x … the only change between v2 and v3 is this upgrade to use the later versions of node-fetch(v2.x.x)/whatwg-fetch(v3.x.x) so that doesn't really make sense.
is there a version of node-fetch from the v1.x.x that passes your security check? i guess not …
probably the more correct thing to do is upgrade to the v3 branch of isomorphic-fetch … and get fbjs to upgrade also.
matthew-andrews
commented
1 year ago just to prove this pull request is not necessary:
% mkdir test
% cd test
% echo {} > package.json
% npm install --save isomorphic-fetch
added 6 packages, and audited 7 packages in 577ms
found 0 vulnerabilities
% npm ls --all
test@ /Users/matthewandrews/repos/test
└─┬ isomorphic-fetch@3.0.0
├─┬ node-fetch@2.6.9
│ ├── UNMET OPTIONAL DEPENDENCY encoding@^0.1.0
│ └─┬ whatwg-url@5.0.0
│ ├── tr46@0.0.3
│ └── webidl-conversions@3.0.1
└── whatwg-fetch@3.6.2as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch
rjstanford
commented
6 months ago as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch
The issue is that some of us with legacy code to maintain cannot easily update our intermediate dependencies, which leaves us requiring a 2.x branch of isomorphic-fetch; if a point release of the 2.x version could be made that updated this dependency it would bring a lot of older applications up to more secure code.
See here and here.
Addresses #202.