`node-fetch` 2.6.1: security alert (CVE-2022-0235)

Question

`node-fetch` 2.6.1: security alert (CVE-2022-0235)

brycewray opened this issue 3 years ago · 2 comments

The presence of node-fetch 2.6.1 in eleventy-cache-assets is triggering GitHub's Dependabot alerts regarding CVE-2022-0235. Apparently nothing earlier than 3.1.1 is considered safe.

Answer 1 · 2022-02-05T21:37:57.000Z

Hey, I do have plans to update this explicitly but just as disclosure 2.6.7 is also patched and will be applied on a clean install per ^ install rules.

See also https://github.com/node-fetch/node-fetch/blob/HEAD/docs/v3-UPGRADE-GUIDE.md#converted-to-es-module

Answer 2 · 2022-02-05T21:49:37.000Z

Fixed by 44c7612 will ship with 2.3.1