npm audit reports old compromised version of node-fetch as a dependency

djsegfault commented 2 years ago

Actual behaviour: npm audit reports vulnerable dependency

Expected behaviour: No dependency vulnerabilities

Error log:

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ node-fetch is vulnerable to Exposure of Sensitive            │
│               │ Information to an Unauthorized Actor                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tmi.js                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tmi.js > node-fetch                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-r683-j2x4-v87g            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 65 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Server configuration

Operating system:
Node version (if applicable):
NPM version (if applicable):
tmi.js version:

AlcaDesign commented 2 years ago

A dependabot PR to upgrade node-fetch exists #499 but it's not compatible because of import in node-fetch 3.x and I'm not satisfied. The issue doesn't affect tmi.js and can be avoided anyway by setting options.skipUpdatingEmotesets to true so it won't make any calls using node-fetch.

const client = new tmi.Client({ options: { skipUpdatingEmotesets: true } });

micalevisk commented 2 years ago

the patch was made on v2 as well. Thus you could upgrade node-fetch to 2.6.7 instead of 3.x

https://github.com/tmijs/tmi.js/blob/28e9e9e1336d0364d476d2021ce575b487c8d587/package.json#L48

in fact, this is covered already due to the semver range above. Thus npm audit doesn't report anything now. You can close this :)

tmijs / tmi.js

npm audit reports old compromised version of node-fetch as a dependency #498