Security vulnerability with cross-fetch in fbjs

Question

Security vulnerability with cross-fetch in fbjs

Closed this issue 2 years ago · 3 comments

In fbjs you have a dependency on cross-fetch version 3.0.4 , see https://github.com/facebook/fbjs/blob/main/packages/fbjs/package.json

This version has a vulnerability because it depends on a vulnerable version of node-fetch: GHSA-r683-j2x4-v87g

The package.json should be updated to use cross-fetch 3.1.5, which has an updated version of node-fetch that fixes the vulnerability.

Answer 1 · 2022-02-09T22:10:10.000Z

I arrived at this issue after tracing that vulnerability through to three other Facebook open source projects. This is a pressing issue.

The latest version of cross-fetch has upgraded from the vulnerable version of node-fetch. The version used in fbjs ("cross-fetch": "^3.0.4") is upwards compatible by semver with the patched version (3.1.5).

Answer 2 · 2022-02-09T22:39:59.000Z

Thanks for the PR. By the way, I informed Facebook's security team about the issue. They said they would put extra priority on it, so hopefully you will get a review soon.

Answer 3 · 2022-02-11T20:19:43.000Z

FWIW, our team does a lot of bumps like this in another FB open source project and could possibly be tasked with fbjs items.