CVE-2022-0235 - node-fetch (peer dependency via isomorphic-fetch)
nathanlodge opened this issue · 5 comments
CVE-2022-0235
Versions of the node-fetch
package lower than 2.6.7 are potentially vulnerable to exposure of sensitive information to an unauthorized actor (see GHSA-r683-j2x4-v87g)
The node-fetch
package is a peer dependency of the Avatax-REST-V2-JS-SDK
package via the isomorphic-fetch
package:
AvaTax-REST-V2-JS-SDK/package.json
Line 26 in 475c6a6
AvaTax-REST-V2-JS-SDK/yarn.lock
Lines 1656 to 1661 in 475c6a6
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ node-fetch is vulnerable to Exposure of Sensitive │
│ │ Information to an Unauthorized Actor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.7 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ isomorphic-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1006899 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Overriding node-fetch
to a safe version is not currently an option
Testing with node-fetch
version 2.6.7
, the following TypeError is encountered TypeError: Cannot read properties of undefined (reading 'content-type')
handling responses here:
AvaTax-REST-V2-JS-SDK/lib/AvaTaxClient.js
Lines 88 to 89 in 475c6a6
Would it be possible to prioritize a fix for this vulnerability?
I'm attempting to leverage the client.resolveAddressPost(address);
function in NextJS (Typescript) and am also receiving TypeError: Cannot read properties of undefined (reading 'content-type')
on response.
Prioritizing fix for this would be much appreciated!
Resolved by 7d87bb4
Should it make the package version bumped to 22.3.1?
Resolved in 22.5.0