Skip to content
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.

Security vulnerability: update isomorphic-fetch to latest #217

Closed
daniel-liu-bitio opened this issue Apr 6, 2022 · 0 comments · Fixed by #220
Closed

Security vulnerability: update isomorphic-fetch to latest #217

daniel-liu-bitio opened this issue Apr 6, 2022 · 0 comments · Fixed by #220

Comments

@daniel-liu-bitio
Copy link

Isomorphic-fetch 2.2.1 (the version currently being used) has a security vulnerability since it depends on an unsafe version of node-fetch. Running npm i @segment/consent-manager followed by npm audit gives:

node-fetch  <=2.6.6
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
No fix available
node_modules/@segment/consent-manager/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/@segment/consent-manager/node_modules/isomorphic-fetch
    @segment/consent-manager  *
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/@segment/consent-manager

This is fixed in subsequent versions of isomorphic-fetch (see matthew-andrews/isomorphic-fetch#189). Would it be possible to bump up the version of isomorphic-fetch for this package?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update isomorphic-fetch to 3.0.0 version to fix vulnerabilities North-Two-Five/consent-manager
2 participants
@nd4p90x @daniel-liu-bitio