Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
node-fetch high severity vulnerabilities
See original GitHub issueIs there an existing issue for this?
- I have searched the existing issues
Current behavior
review node-fetch high >=3.1.1 node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor https://github.com/advisories/GHSA-r683-j2x4-v87g @nestjs/core>@nuxtjs/opencollective>node-fetch
Minimum reproduction code
Steps to reproduce
- npm i
message:
found 9 high severity vulnerabilities
run
npm audit fixto fix them, ornpm auditfor details - npm audit
message :
High node-fetch is vulnerable to Exposure of Sensitive
Information to an Unauthorized Actor
Package node-fetch
Patched in >=3.1.1
Dependency of 7cbe6f22abc4b54af7c8e3d7b4de18f70b2a6ca596ebcf3243f7de2c7fc…
Path 7cbe6f22abc4b54af7c8e3d7b4de18f70b2a6ca596ebcf3243f7de2c7fc…
>
7d2f6aa1cf2988150f4b2a53942778071e6e8f4fc512fb93e4b075de77c…
>
7dbc5c2f8c28530cd0cccc14db4466b29506f0d1ca7496780bd9a54f8a2…
>
7cbe6f22abc4b54af7c8e3d7b4de18f70b2a6ca596ebcf3243f7de2c7fc…
>
7d2f6aa1cf2988150f4b2a53942778071e6e8f4fc512fb93e4b075de77c…
>
7dbc5c2f8c28530cd0cccc14db4466b29506f0d1ca7496780bd9a54f8a2…
>
3ccdad27d510c11f8e38b7a4aab8abf406b9e75051f21ae682a6c6efbac…
>
7836f168f41f00b3a1c39f1853c48f940922be30854fa4f119a6e2356a4…
> @nestjs/core > @nuxtjs/opencollective > node-fetch
More info https://github.com/advisories/GHSA-r683-j2x4-v87g
Expected behavior
The nestjs/core depend on node-fetch is 2.6.7 ,but node-fetch latest is 3.2.0. Why not upgrade 3.x?
Package
- I don’t know. Or some 3rd-party package
-
@nestjs/common -
@nestjs/core -
@nestjs/microservices -
@nestjs/platform-express -
@nestjs/platform-fastify -
@nestjs/platform-socket.io -
@nestjs/platform-ws -
@nestjs/testing -
@nestjs/websockets - Other (see below)
Other package
No response
NestJS version
8.2.3
Packages versions
"@nestjs/axios": "^0.0.3",
"@nestjs/common": "^8.2.3",
"@nestjs/config": "^1.1.5",
"@nestjs/core": "^8.2.3",
"@nestjs/microservices": "^8.2.3",
"@nestjs/platform-fastify": "^8.2.3",
"@nestjs/swagger": "^5.1.5",
"@nestjs/terminus": "^8.0.3",
"@nestjs/typeorm": "^8.0.2",
"cache-manager": "^3.6.0",
"cache-manager-ioredis": "^2.1.0",
"class-transformer": "^0.5.1",
"class-validator": "^0.13.2",
"fastify-swagger": "^4.12.6",
"ioredis": "^4.28.2",
"mysql2": "^2.3.3",
"nats": "^2.4.0",
"nestjs-pino": "^2.3.1",
"pino": "^7.5.1",
"pino-http": "^6.4.0",
"rxjs": "^7.4.0",
"tslib": "^2.3.1",
"typeorm": "^0.2.41"
Node.js version
14.17.4
In which operating systems have you tested?
- macOS
- Windows
- Linux
Other
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
actually, like you’ve show:
@nestjs/core > @nuxtjs/opencollective > node-fetch, nestjs doesn’t depends onnode-fetchdirectly.I guess
@nuxtjs/opencollectivedidn’t use v3 due to thisAlso,
0.3.2is the latest version of@nuxtjs/opencollectivehttps://github.com/nestjs/nest/blob/6ffdef14bc9e4a77d8b4b20a302fd864f31c9124/packages/core/package.json#L30
this was fixed in
node-fetch@2.6.7as well. And the latest version of@nestjs/core(8.2.6) doesn’t have such vulnerability anymore.