node-fetch vulnerability transitive from isomorphic-fetch
lucasgonze opened this issue ยท 3 comments
๐ Bug Report
According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1. This version of node-fetch has a vulnerability that is fixed in 2.6.7 and later.
isomorphic-fetch is abandoned. Consumers of isomorphic-fetch are moving to an alternative project, cross-fetch. babel-plugin-fbt-runtime should too.
To Reproduce
- Add babel-plugin-fbt-runtime to a project
- Run Dependabot against the downstream project
- View alerts
Expected behavior
node-fetch should be at 2.6.7 or later
Link to repo (highly encouraged) or paste
For security reasons, I can't share this publically. Contact me offline (lucas@gonze.com).
Also...
I'd happily submit a patch but am baffled by the structure of this repo. LMK if you want the help.
According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1.
Hmm, that's different from what I saw. This issue exists in 0.9.5 - 0.9.18 because babel-plugin-fbt-runtime at that time depended on fbjs which in turn depends on isomorphic-fetch.
However, we recently removed fbjs dependency in e42ecd2 and I believe this is no longer an issue
Thank you for this helpful guidance, @pkqinys . I see that fbjs is gone in 0.10.0-rc5-beta. What is the stability of that version, given that it is only a release candidate? Can I pull it into production software?
It may be relevant that my work is also on a Facebook project.
I would recommend wait until we release the public version. babel-plugin-fbt@0.21.0-rc10-beta should be stable as it has been deployed to production at Meta for a while now. However babel-plugin-fbt-runtime@0.10.0-rc5-beta is not in production yet.