You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security patch release
Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred
...but it would be good to migrate to the latest package. I haven't looked at the full list of breaking changes yet, but this is one of these numerous dependencies that are moving to ESM-only (no built-in CJS support):
...and in all likelihood, node-fetch will become a polyfill for when several key features are available in NodeJS core. Lots of information in these 2 discussion threads:
But, as a starting point Thorium should probably migrate to v3 (i.e. not stay stuck on v2 for too long). IIRC the main breaking change is ESM vs. CJS, but Thorium faces this upgrade problem with several other key NPM packages, so might as well tackle this head-on, update WebPack etc. (all the loaders!)
thorium-reader/package.json
Line 257 in f436709
CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-0235
node-fetch
version3.1.1
https://github.com/node-fetch/node-fetch/releases/tag/v3.1.1
Thankfully, the fix is backported to version
2.6.7
which Thorium can use:https://github.com/node-fetch/node-fetch/releases/tag/v2.6.7
...but it would be good to migrate to the latest package. I haven't looked at the full list of breaking changes yet, but this is one of these numerous dependencies that are moving to ESM-only (no built-in CJS support):
https://github.com/node-fetch/node-fetch/releases/tag/v3.0.0
The text was updated successfully, but these errors were encountered: