Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
NPM audit advisory 1556 due to node-fetch dependency
See original GitHub issueQ&A
- Method of installation: npm
- Swagger-UI version: 3.34.0
Expected behavior
npm audit should not report any issues.
Actual behaviour
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ swagger-ui > react > create-react-class > fbjs > │
│ │ isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ swagger-ui > react-redux > create-react-class > fbjs > │
│ │ isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ swagger-ui > react > fbjs > isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ swagger-ui > react-dom > fbjs > isomorphic-fetch > │
│ │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Additional notes
Downstream issue: https://github.com/facebook/react/issues/19840 Downstream root issue: https://github.com/matthew-andrews/isomorphic-fetch/pull/189
Guess we’ll have to wait until isomorphic-fetch releases a 2.x version.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:8
- Comments:8 (3 by maintainers)
Top Results From Across the Web
Auditing package dependencies for security vulnerabilities
Security audits help you protect your package's users by enabling you to find and fix known vulnerabilities in dependencies that could cause data...
Read more >Unable to find expo in this project - have you run yarn / npm ...
The problem arises when using the command: npm audit fix --force . If you check the warnings after this command, you get.
Read more >npm audit fix --force is not fixing any problems : r/reactjs - Reddit
8 Denial of Service - https://npmjs.com/advisories/1556 No fix available node_modules/node-fetch isomorphic-fetch 2.0.0 - 2.2.1 Depends on ...
Read more >Node fetch vulnerability CVE-2022-0235 not resolved by ...
We have noted that after upgrading to node fetch 2.6.7 security vulnerability is still being thrown by gemnasium dependency scanning ...
Read more >GitHub Advisory Database now powers npm audit
js application to scan your project's dependencies for known security vulnerabilities—you'll be given a URL that you can visit to learn more, ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
To those tracking this issue, here is some background:
This is most likely a false positive via the React@15 library, specifically with
fbjs, but we can’t guarantee it. In the other dependency instances that SwaggerUI usesnode-fetch, the library authors have been able to migrate tonode-fetch@2.6.1SwaggerUI has a sub-dependencies that uses a version of
fbjswhich usesisomorphic-fetch@2.x. Moving toisomorphic-fetch@3is a breaking semver change tofbjsand any upstream dependencies. The React team has requested a minor version bump ofisomorphic-fetch@2.x, but atm, it does not look like it will happen. It also appears that the React team will not do a minor version change tofbjs.I’m keeping this ticket open for now, hoping that we will eventually get a minor version update from either
fbjsorisomorphic-fetch.References:
https://github.com/facebook/react/issues/19840 https://github.com/facebook/fbjs/issues/402 https://github.com/matthew-andrews/isomorphic-fetch/pull/189
FYI, this is the current result of
npm auditfornode-fetchHello @tim-lai, is there any plans on your part to update your dependencies for the remaining packages you mention as a result of the npm audit ? As this would mean bumping your react version by one major, I know it would be quite an endeavor but still asking. Thanks