Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
While upgrading Serverless module with latest version @3.0.1, dependency module node-fetch is not updated to latest version
See original GitHub issueAre you certain it’s a bug?
- Yes, it looks like a bug
Is the issue caused by a plugin?
- It is not a plugin issue
Are you using the latest version?
- Yes, I’m using the latest version
Is there an existing issue for this?
- I have searched existing issues, it hasn’t been reported yet
Issue description
While upgrading Serverless module with latest version @3.0.1, dependency module node-fetch is not updated to latest version
As per npm, node fetch latest version is 3.2.0, but while upgrading Serverless with latest version @3.0.1, node-fetch version taken as @2.6.7. Due to this reason, we are facing security issues.
Kindly update on the above issue, whether node-fetch dependency of the Serverless module will be upgraded.
Service configuration (serverless.yml) content
N/A
Command name and used flags
N/A
Command output
N/A
Environment information
N/A
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Upgrading to Serverless Framework v3
First, upgrade to the latest v2 version and make sure that you do not get any deprecation warning when running serverless commands. Then,...
Read more >require() of ES modules is not supported when importing node ...
From the Upgrade Guide. node-fetch was converted to be a ESM only package in version 3.0.0-beta.10. node-fetch is an ESM-only module - you ......
Read more >serverless - npm
Manages the lifecycle of your serverless architecture (build, deploy, update, delete). Safely deploy functions, events and their required ...
Read more >serverless | Yarn - Package Manager
Important: This documentation covers modern versions of Yarn. For 1.x docs, see classic.yarnpkg.com. Yarn.
Read more >How to make a fetch request using node-fetch v3 - Netlify
This issue is specific to the new node-fetch version when using it ... Node-fetch v3 was updated to an ESM-only module which now...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’ve checked and it seems like the security patch is applied to 2.6.7 as @dne suggests, so I think the report is incorrect. Could you confirm @SaitejaChavva ?
If this is CVE-2022-0235, the fix was backported to node-fetch 2.x and released in v2.6.7, so maybe JFROG is inaccurate?