Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix high snyk security vulnerability in v2 #1615

Closed
filipatavares opened this issue Aug 1, 2022 · 5 comments
Closed

Fix high snyk security vulnerability in v2 #1615

filipatavares opened this issue Aug 1, 2022 · 5 comments
Labels
bug

Comments

@filipatavares
Copy link

Hi there,

Snyk found a new HIGH-security vulnerability: https://security.snyk.io/vuln/SNYK-JS-NODEFETCH-2964180

Could you please apply the fix for node-fetch v2?
We can't update to v3 at the moment and v2 is said to be udpated with bug/security issues.

Best regards
@LinusU
Copy link
Member

LinusU commented Aug 1, 2022

v2 isn't affected by that issue:

#1611 (comment)

Someone needs to contact Snyk and get them to update the affected version range...

@mattcobb
Copy link

mattcobb commented Aug 1, 2022

Contacting Snyk

@BrennanConroy BrennanConroy mentioned this issue Aug 1, 2022
Closed
1 task
@mattcobb
Copy link

mattcobb commented Aug 1, 2022

snyk ticket 29544

@glasser glasser mentioned this issue Aug 1, 2022
Closed
@vovikhangcdv
Copy link
Contributor

Actually, the Snyk severity (CVSS Score) is not suitable. As I mentioned in the report, it should be 5.9 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), not a high severity vulnerability.

@mattcobb
Copy link

mattcobb commented Aug 3, 2022

Snyk fixed the range:

Jacky Cheung (Snyk)
Aug 3, 2022, 17:40 GMT+1

Hi Matt,

This was updated yesterday to reflect the fact that 2.x was not impacted and the public advisory is already showing as such so this should now be correct.
Cheers,

Jacky
Senior Technical Support Engineer (EMEA)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@LinusU @mattcobb @jimmywarting @filipatavares @vovikhangcdv