Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node-fetch snyk vulnerabilities #6755

Closed
samchungy opened this issue Aug 1, 2022 · 2 comments
Closed

node-fetch snyk vulnerabilities #6755

samchungy opened this issue Aug 1, 2022 · 2 comments

Comments

@samchungy
Copy link

samchungy commented Aug 1, 2022
edited

Hello, our Snyk vulnerabilities scanner flagged node-fetch as an issue across your packages. Could we bump this up a version or two? :) Cheers!

Edit: Noticed that might be an issue due to ESM

https://security.snyk.io/vuln/SNYK-JS-NODEFETCH-2964180
@sbrown1214
Copy link

Having the same exact issue! Just wanted to bump this thread. Thank you for posting

@glasser
Copy link
Member

glasser commented Aug 1, 2022

apollo-server uses node-fetch v2, not node-fetch v3. (Using v3 only works if your app loads files via ESM rather than CJS, so for us to use v3 we'd be preventing Apollo Server users from using CJS.)

According to the developers, this bug appears to only exist in v3; Snyk is incorrect to flag this as an issue. node-fetch/node-fetch#1615 says that they've asked Snyk to update their version range.

@glasser glasser closed this as completed Aug 1, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glasser @samchungy @sbrown1214