Thorium uses an old version of node-fetch which contains security holes / vulnerabilities

[danielweck]

thorium-reader/package.json

Line 257 in f436709

"node-fetch": "^2.6.6",

CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-0235

node-fetch version 3.1.1

Security patch release
Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

https://github.com/node-fetch/node-fetch/releases/tag/v3.1.1

Thankfully, the fix is backported to version 2.6.7 which Thorium can use:

https://github.com/node-fetch/node-fetch/releases/tag/v2.6.7

...but it would be good to migrate to the latest package. I haven't looked at the full list of breaking changes yet, but this is one of these numerous dependencies that are moving to ESM-only (no built-in CJS support):

https://github.com/node-fetch/node-fetch/releases/tag/v3.0.0

[danielweck]

Fixed via f436709#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519L1637

[danielweck]

Unidici's fetch implementation is not final yet:

https://github.com/nodejs/undici#undicifetchinput-init-promise

...and in all likelihood, node-fetch will become a polyfill for when several key features are available in NodeJS core. Lots of information in these 2 discussion threads:

node-fetch/node-fetch#1247

node-fetch/node-fetch#1452

But, as a starting point Thorium should probably migrate to v3 (i.e. not stay stuck on v2 for too long). IIRC the main breaking change is ESM vs. CJS, but Thorium faces this upgrade problem with several other key NPM packages, so might as well tackle this head-on, update WebPack etc. (all the loaders!)