update to node-fetch@3

[jimmywarting]

Any thoughts on start using node-fetch v3
It's built as ESM only doe...

[lquixada]

I've tried using it but it wasn't straight forward to add it to the lib. cross-fetch is CJS.

[jimmywarting]

any chance that this could be converted to esm as well?

[lquixada]

not seeing that on the near future. might reconsider at some point.

[yinzara]

Please don't

node-fetch/node-fetch#1263

Sorry @jimmywarting , I still don't think you've given enough of a reason that libraries that are targeted at NodeJS should be making this swap now. We're up to 103 to 15 now.

Additionally, TypeScript 4.5 has now removed the ESM NodeJS support from its feature list so users of TypeScript still have to use some of your crazy work arounds to be able to use ESM only libraries. Hopefully TypeScript 4.6 will have this feature and it'll come soon.
https://www.infoworld.com/article/3637149/typescript-delays-esm-support-for-nodejs.html

[LiangXuehongBJ]

Hi.
Is there a plan(timeline) to using node-fetch v3?
We are using some other package which uses package cross-fetch as dependency.
But there is an CVE-2022-0235 vulnerability (Medium) detected in node-fetch-2.6.1.tgz.
Thanks.

Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

I've tried using it but it wasn't straight forward to add it to the lib. cross-fetch is CJS.

[jimmywarting]

fyi v2.x got patched and fixed for security reason for ppl who are stuck with cjs

[imsys]

To be more specific, it was fixed on 2.6.7
node-fetch/node-fetch@1ef4b56
We just need someone to fix the warning for 2.6.7.

[imsys]

Update, the warning is fixed for:

Affected versions

>= 3.0.0, < 3.1.1
< 2.6.7

Patched versions

3.1.1
2.6.7

[lquixada]

cross-fetch@3.1.5 was released with node-fetch@2.6.7.