Update fetch-ponyfill to remove the vulnerability introduced by node-fetch
Closed this issue · 2 comments
Subject of the issue
eth-json-rpc-middleware@4.4.1 requires node-fetch@4.1.0, which has a security problem (see: CVE-2020-15168) :
eth-json-rpc-middleware@4.4.1 ➔ fetch-ponyfill@4.1.0 ➔ node-fetch@1.7.3
I am not sure if this vulnerability actually affects eth-json-rpc-middleware, but it will show up in security reports about dependencies. Since a large number of developers still use eth-json-rpc-middleware@4.4.*(16,898 downloads per week), is there any posibility that you could release an update version for 4.4.* (ie 4.4.2) that introduces a patched version(>=2.6.1) of node-fetch?
In eth-json-rpc-middleware@4.4.2, maybe you can perform the following update:
fetch-ponyfill ^4.0.0 ➔ ^6.1.0
where fetch-ponyfill@6.1.0 ➔ node-fetch@2.6.1 , and node-fetch@2.6.1 has fixed the vulnerability CVE-2020-15168.
The issue was fixed in this project in mid-September 2020 but you may have arrived to report an Issue here via Trufflesuite's fork, which got pretty far behind without pulling in changes (forks don't allow independent Issue reporting). It was included as a dependency of web3-provider-engine which is also a fork of MetaMask's project that Truffle hasn't kept up with. Truffle (IMO wisely) updated to use Metamask's version instead of their own fork in hdwallet-provider at the end of Nov. 2021 and updated the version number on hdwallet-provider to reflect the fix at the release of 2.0.0 a few days later. So if you want to be rid of those audit alerts, you could try upgrading @truffle/hdwallet-provider to 2.0.0... if that was actually the root of your original report here.
If that works, please report back here to close the issue!
As noted in the previous comment, this has been fixed already.