[Component Vulnerability]please consider to upgrade node-fetch in @microsoft/signalr from @^2.x.x to @^3.1.1 #39672
Comments
|
Triage: We should update this. Note: you can also manually update this dependency in your own package.json file, and as long as there are no breaking changes it should work. |
|
It's a major version bump for node-fetch. Doesn't that mean the node-fetch developers are signaling that there are breaking changes? And isn't this issue a little more urgent than waiting for the release of a preview of the whole ASP.NET Core framework that most people won't use specifically because it's a preview? Also, isn't this numbering meant to coincide with releases of .NET Core? Doesn't that mean that 7, being an odd number, won't be an LTS release? Being that this is a security vulnerability, shouldn't it go as a patch of the current LTS release, 6? |
|
We will be updating main to explicitly target ^2.6.7 of node-fetch as the fix was made there and in the 3.x train. For the patch branches we are not making any changes as we have the node-fetch dependency marked as |
Yeah. Thanks very much. |
Is there an existing issue for this?
Describe the bug
The @microsoft/signalr has node-fetch@^2.6.1 as a dependency that is vulnerable to the exposure of sensitive information to an unauthorized actor. And it seems that this bug is fixed in node-fetch's latest release v3.1.1:
node-fetch/node-fetch#1449
please consider to upgrade node-fetch to @^3.1.1 to solve this problem.
Expected Behavior
upgrade node-fetch in @microsoft/signalr from @^2.6.1 to @^3.1.1 to solve this problem.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: