vulnerability found in dependency #149

xemayebenes · 2020-12-23T13:18:25Z

Last version throws audit fails

.	-
Low	Denial of Service
Package	node-fetch
Patched in	>=2.6.1 <3.0.0-beta.1
Dependency of	avatax
Path	avatax > isomorphic-fetch > node-fetch
More info	https://npmjs.com/advisories/1556

Are you planning to fix this dependency?

Eric-Dunaway · 2021-08-03T19:41:14Z

This PR fixed the issue with the out of date node-fetch in isomorphic-fetch
matthew-andrews/isomorphic-fetch#189

eboureau · 2022-02-01T14:23:05Z

HI, any news on that one?
There is now a High vulnerability in node-fetch dependency, when do you plan to upgrade to isomorphic-fetch@3.0.0?

eboureau · 2022-02-02T10:58:57Z

I also think you should get rid of isomorphic-fetch and just use node-fetch@2.6.7. IMO isomorphic-fetch has no added value using node.js

chelevich · 2022-05-25T15:25:04Z

seems to be resolved by 7d87bb4

svc-developer · 2022-06-08T21:38:09Z

Resolved in 22.5.0.
Thanks

eboureau mentioned this issue Feb 10, 2022

fix: node-fetch CVE-2022-0235 and reduce tech debt #214

Open

svc-developer closed this as completed Jun 8, 2022

Provide feedback