node-fetch@2.6.1 vulnerability

[DanOnCall]

Checklist

• [x] I checked all open bugs and none of them matched my problem.

Environment

• [ ] https://api.github.com
• [ ] GitHub Enterprise Server:
• [ ] GitHub Enterprise Cloud
• [x] Node.js
• [ ] Browsers:
• [ ] Others:

Versions

├── @octokit/plugin-rest-endpoint-methods@5.13.0
├── @octokit/rest@18.12.0

What happened?

I use Snyk to monitor my Node.js dependencies.

I ran snyk test on a project that uses @octokit/rest@18.12.0 and I got the following report:

Information Exposure [Medium Severity] vulnerability in node-fetch@2.6.1 https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118 introduced by @octokit/rest@18.12.0 > @octokit/core@3.5.1 > @octokit/request@5.6.2 > node-fetch@2.6.1 and 1 other path(s) This issue was fixed in versions: 2.6.7, 3.1.1

Minimal test case to reproduce the problem

Install @octokit/rest@18.12.0 in any Node.js project and then run snyk test as described in the "Snyk Test using CLI" document.

What did you expect to happen?

If possible, please, It would be ideal to mitigate this vulnerability by bumping the node-fetch dependency to 2.6.7 or 3.1.1.

What the problem might be

https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118

[wolfy1339]

We cannot upgrade to v3 of node-fetch since it is now an ESM module.

However, we can upgrade to 2.6.7 which contains a backported fix for that vulnerability.

But, the octokit modules are unmaintained. For more information, check out this discussion, and subscribe for any further updates.

Considering that, I am considering maybe pushing a hotfix for this vulnerability

[wolfy1339]

@octokit/request v5.6.3 was just published, which should solve this issue.

Make sure to refresh your lock files, to install the latest version of @octokit/request

[DanOnCall]

Thank you! I appreciate the information on the fix and also on the status of the octokit libraries 👍