vulnerability found in dependency
xemayebenes opened this issue · 5 comments
xemayebenes commented
Last version throws audit fails
| . | - |
|---|---|
| Low | Denial of Service |
| Package | node-fetch |
| Patched in | >=2.6.1 <3.0.0-beta.1 |
| Dependency of | avatax |
| Path | avatax > isomorphic-fetch > node-fetch |
| More info | https://npmjs.com/advisories/1556 |
Are you planning to fix this dependency?
Eric-Dunaway commented
https://snyk.io/advisor/npm-package/avatax
isomorphic-fetch v3 is out https://github.com/matthew-andrews/isomorphic-fetch/releases/tag/v3.0.0
Snyk Report on isomorphic-fetch@3.0.0
This PR fixed the issue with the out of date node-fetch in isomorphic-fetch
matthew-andrews/isomorphic-fetch#189
eboureau commented
HI, any news on that one?
There is now a High vulnerability in node-fetch dependency, when do you plan to upgrade to isomorphic-fetch@3.0.0?
eboureau commented
I also think you should get rid of isomorphic-fetch and just use node-fetch@2.6.7. IMO isomorphic-fetch has no added value using node.js
svc-developer commented
Resolved in 22.5.0.
Thanks