Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

Remove vulnerable version of cross-fetch #404

Merged
merged 1 commit into from
Apr 6, 2022
Merged

Remove vulnerable version of cross-fetch #404

merged 1 commit into from
Apr 6, 2022

Conversation

wbt
Copy link
Contributor

@wbt wbt commented Feb 4, 2022

Closes #401.

@wbt wbt requested a review from a team as a code owner February 4, 2022 18:51
@wbt
Copy link
Contributor Author

wbt commented Feb 16, 2022

Error: #404, reviewer not found

This was referenced Mar 30, 2022
Closed
Closed
@brianlenz
Copy link

Any chance we can get this merged and get a 16.0.4 release pushed?

@brianlenz
Copy link

brianlenz commented Mar 30, 2022
edited
Loading

@wbt, you probably should run a yarn install with the change to get yarn.lock updated, too.

But having said that, I realized this alone won't solve the root of the issue, as it's also a transitive dependency from eth-json-rpc-infura This is actually a non-issue, as v16.0.3 uses a newer version that is unaffected.

https://github.com/MetaMask/web3-provider-engine/blob/main/yarn.lock#L3338

@wbt wbt mentioned this pull request Apr 6, 2022
Merged
wbt added a commit to wbt/cross-fetch that referenced this pull request Apr 6, 2022
@wbt
Update away from vulnerable version of node-fetch
832f946 
Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@wbt wbt mentioned this pull request Apr 6, 2022
Merged
@wbt
Copy link
Contributor Author

wbt commented Apr 6, 2022

@brianlenz I've learned the hard way to exclude package-lock files from PRs to web3 projects. If a maintainer wants to do that, or if someone else wants to issue a PR against my branch awaiting a maintainer's indication that that can be merged first, fine, but I'm not going to sink my own PR by violating a rule like that.

mcmire
mcmire approved these changes Apr 6, 2022
View reviewed changes
Copy link
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I took a look and you're right, it seems like this dependency is no longer used. Seems like someone else in #400 had the same idea too. Thanks so much and sorry for the long delay on this.

@mcmire mcmire merged commit 3773de9 into MetaMask:main Apr 6, 2022
@mcmire mcmire mentioned this pull request Apr 6, 2022
Closed
@wbt wbt deleted the patch-1 branch April 6, 2022 20:35
lquixada pushed a commit to lquixada/cross-fetch that referenced this pull request Apr 10, 2022
@wbt
Update away from vulnerable version of node-fetch (#135)
6ae9201 
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
lquixada pushed a commit to lquixada/cross-fetch that referenced this pull request Apr 10, 2022
@wbt @lquixada
Update away from vulnerable version of node-fetch (#135)
eac6c00 
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@jeffwalsh
Copy link

is this available in a public version? i don't see a 16.0.4 with this change a @brianlenz was asking for above

@wbt
Copy link
Contributor Author

wbt commented Apr 29, 2022
edited
Loading

No, there has not been a publish since the time this PR was merged. You could use a git ref if you really want to, but you'll miss future patches unless updating back after this does eventually get published.

@mcmire mcmire mentioned this pull request Apr 29, 2022
Merged
@mcmire
Copy link
Contributor

mcmire commented Apr 29, 2022

16.0.4 is now released with this change. Cheers!

@takeratta takeratta mentioned this pull request Jun 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mcmire mcmire mcmire approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cross-fetch can be removed from the dependece list
4 participants
@wbt @brianlenz @jeffwalsh @mcmire