Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update away from vulnerable version of node-fetch #135

Merged
merged 1 commit into from Apr 10, 2022
Merged

Update away from vulnerable version of node-fetch #135

merged 1 commit into from Apr 10, 2022

Conversation

wbt
Copy link

@wbt wbt commented Apr 6, 2022

Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404

@wbt
Update away from vulnerable version of node-fetch
832f946 
Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited

This pull request doesn’t change much. "^2.6.1" means >= 2.6.1 && < 3, so version 2.6.7 is installed anyways.

The mentioned patch, MetaMask/web3-provider-engine#404, is different because here the version number isn’t prefixed by a caret (^).

@lquixada
Copy link
Owner

lquixada commented Apr 10, 2022
edited

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release. Thanks @wbt

@lquixada lquixada merged commit 6ae9201 into lquixada:2.x Apr 10, 2022
lquixada pushed a commit that referenced this pull request Apr 10, 2022
@wbt @lquixada
Update away from vulnerable version of node-fetch (#135)
eac6c00 
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release.

Good point. You're right and I was wrong.

@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited

Curious: Why does the package.json has a caret in the version number, when the one here in this repo does not? Is there another release of cross-fetch that allows updates to the dependencies?

@lquixada
Copy link
Owner

Using a caret has its pros and cons. I feel there's no clear answer but here's a few insights: #129 (comment).

@janaagaard75
Copy link

Thanks for the update, @lquixada. I had missed that #132 had been merged. Sorry for the noise.

@wbt wbt deleted the patch-1 branch April 11, 2022 17:02
@cysp cysp mentioned this pull request May 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wbt @janaagaard75 @lquixada