[Component Vulnerability]please consider to upgrade node-fetch in @microsoft/signalr from @^2.x.x to @^3.1.1 #39672
Labels
area-signalr
Includes: SignalR clients and servers
Milestone
Is there an existing issue for this?
Describe the bug
The @microsoft/signalr has node-fetch@^2.6.1 as a dependency that is vulnerable to the exposure of sensitive information to an unauthorized actor. And it seems that this bug is fixed in node-fetch's latest release v3.1.1:
node-fetch/node-fetch#1449
please consider to upgrade node-fetch to @^3.1.1 to solve this problem.
Expected Behavior
upgrade node-fetch in @microsoft/signalr from @^2.6.1 to @^3.1.1 to solve this problem.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: