[Component vulnerability - governance alert] For "@microsoft/signalr" JS package, please update "node-fetch" dependency from vulnerable 2.6.7 version #43019
Labels
area-signalr
Includes: SignalR clients and servers
Comments
|
Not an issue in v2 see node-fetch/node-fetch#1615 |
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is there an existing issue for this?
Describe the bug
When scanning with Snyk, a security vulnerability is reported for the latest 6.0.7 version of the "@microsoft/signalr" JS package, as shown on https://snyk.io/advisor/npm-package/@microsoft/signalr (linked to from https://cdnjs.com/libraries/microsoft-signalr).
Using the Snyk CLI scanner yields this:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-NODEFETCH-2964180] in node-fetch@2.6.7
introduced by @microsoft/signalr@6.0.7 > node-fetch@2.6.7
This issue was fixed in versions: 3.2.10
But due to the "^2.6.7" specified in your package, there's no use in adding a temporary direct dependency towards any "3.x" version.
Expected Behavior
That Snyk shouldn't find any security vulnerabilities in any Microsoft package.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
This is similar to #39672, but I haven't yet been able to find any issue detailing this in the" node-fetch" project, so I'm unsure whether it's being addressed there.
The text was updated successfully, but these errors were encountered: