Closed DanOnCall closed 2 years ago
We cannot upgrade to v3 of node-fetch since it is now an ESM module.
However, we can upgrade to 2.6.7 which contains a backported fix for that vulnerability.
But, the octokit modules are unmaintained. For more information, check out this discussion, and subscribe for any further updates.
Considering that, I am considering maybe pushing a hotfix for this vulnerability
@octokit/request
v5.6.3 was just published, which should solve this issue.
Make sure to refresh your lock files, to install the latest version of @octokit/request
Thank you! I appreciate the information on the fix and also on the status of the octokit libraries 👍
Checklist
Environment
Versions
What happened?
I use Snyk to monitor my Node.js dependencies.
I ran
snyk test
on a project that uses@octokit/rest@18.12.0
and I got the following report:Information Exposure [Medium Severity] vulnerability in node-fetch@2.6.1 https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118 introduced by @octokit/rest@18.12.0 > @octokit/core@3.5.1 > @octokit/request@5.6.2 > node-fetch@2.6.1 and 1 other path(s) This issue was fixed in versions: 2.6.7, 3.1.1
Minimal test case to reproduce the problem
Install
@octokit/rest@18.12.0
in any Node.js project and then runsnyk test
as described in the "Snyk Test using CLI" document.What did you expect to happen?
If possible, please, It would be ideal to mitigate this vulnerability by bumping the
node-fetch
dependency to2.6.7
or3.1.1
.What the problem might be
https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118