refresh lockfile to automatically remove the vulnerability introduced in @zilliqa-js/core@3.0.0

Question

refresh lockfile to automatically remove the vulnerability introduced in @zilliqa-js/core@3.0.0

paimon0715 opened this issue 3 years ago · 1 comments

Hi, @renlulu @teye, I have reported a vulnerability issue in package cross-fetch.

As far as I am aware, vulnerability CVE-2020-15168 detected in package node-fetch(<2.6.1,>=3.0.0-beta.1 <3.0.0-beta.9) is directly referenced by cross-fetch@2.2.3, on which your package @zilliqa-js/core@3.0.0 directly depends. As such, this vulnerability can also affect @zilliqa-js/core@3.0.0 via the following path:
@zilliqa-js/core@3.0.0 ➔ cross-fetch@2.2.3 ➔ node-fetch@2.1.2(vulnerable version)

Since cross-fetch has released a new patched version cross-fetch@2.2.5 to resolve this issue (cross-fetch@2.2.5 ➔ node-fetch@2.6.1(fix version)), then this vulnerability patch can be automatically propagated into your project only if you update your lockfile. The following is your new dependency path :
@zilliqa-js/core@3.0.0 ➔ cross-fetch@2.2.5 ➔ node-fetch@2.6.1(vulnerability fix version).

A warm tip.^_^

Answer 1 · 2021-08-17T08:15:45.000Z

similar issue reported in #288