Dependency package node-fetch has a new version available

[azure-sdk]

We have identified a dependency on version 2.7.0 of node-fetch. A new version (3.3.2) is available for upgrade.

Following are the steps to upgrade package dependency.

1. Understand the breaking changes between the version being used and the version you want to upgrade to.

2. Identify all packages that take a dependency on this package.

3. Go to the root folder for each such package (/sdk/service-name/package-name) and update package.json to have the new version.

4. Run rush update to ensure the new version is pulled in.

5. Make relevant changes to absorb the breaking changes.

6. Repeat steps 3 to 5 for each of the packages that have a dependency on this package.

[ramya-rao-a]

This task should be taken up along with #19165

[snuffykl]

Hi just checking any update to upgrade node-fetch to 2.6.7 ?

[ramya-rao-a]

Hey @snuffykl

Our current dependency on node-fetch is using the semver notation ^2.6.6 which should give you the latest minor and patch updates with major version 2. Are you looking for node-fetch to be updated to v3?

[snuffykl]

Hey @snuffykl

Our current dependency on node-fetch is using the semver notation ^2.6.6 which should give you the latest minor and patch updates with major version 2. Are you looking for node-fetch to be updated to v3?

Hi @ramya-rao-a

I am looking to get it to 2.6.7. Good to know it will give me 2.6.7.

Thank you.

[joheredi]

Unfortunately we won't be able to upgrade to v3 in the short term. The reason is that node-fetch v3 dropped support on commonjs modules. In order to migrate we'd need to make our packages ESM-only which we are not ready to do at the moment.

There seems to be a big number of community members impacted by the commonjs drop in node-fetch (for reference: node-fetch/node-fetch#1263)

@praveenkuttappan is there any way to tell the Dependency checker to just look at new versions under 2.x.x for this package?

[jeremymeng]

We will only log issues for available major version updates. v2.x.x will be auto updated when our automation do rush update --full.

We could move this to backlog then check back in the future.

[alexweininger]

Unfortunately we won't be able to upgrade to v3 in the short term. The reason is that node-fetch v3 dropped support on commonjs modules. In order to migrate we'd need to make our packages ESM-only which we are not ready to do at the moment.

@joheredi Do you have long term plans to migrate to v3 and make the SDK packages ESM-only?

[joheredi]

@bterlson should be able to comment about the long-term plans for ESM-only packages in this repo.

[kevintechie]

Please consider updating to patch v2.6.7 to address high vulnerability issue per: GHSA-r683-j2x4-v87g

Update seems more urgent now.

[joheredi]

We already updated to 2.6.7. Also since our dependency on node-fetch is a caret one, running npm update on your side would get you the latest version 2.6.7 without core-http releasing a new version

[github-actions]

Hi @azure-sdk, we deeply appreciate your input into this project. Regrettably, this issue has remained inactive for over 2 years, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support.