You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1. This version of node-fetch has a vulnerability that is fixed in 2.6.7 and later.
isomorphic-fetch is abandoned. Consumers of isomorphic-fetch are moving to an alternative project, cross-fetch. babel-plugin-fbt-runtime should too.
To Reproduce
Add babel-plugin-fbt-runtime to a project
Run Dependabot against the downstream project
View alerts
Expected behavior
node-fetch should be at 2.6.7 or later
Link to repo (highly encouraged) or paste
For security reasons, I can't share this publically. Contact me offline (lucas@gonze.com).
Also...
I'd happily submit a patch but am baffled by the structure of this repo. LMK if you want the help.
The text was updated successfully, but these errors were encountered:
lucasgonze
changed the title
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
node-fetch vulnerability transitive from isomorphic-fetch
Feb 9, 2022
According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1.
Hmm, that's different from what I saw. This issue exists in 0.9.5 - 0.9.18 because babel-plugin-fbt-runtime at that time depended on fbjs which in turn depends on isomorphic-fetch.
However, we recently removed fbjs dependency in e42ecd2 and I believe this is no longer an issue
Thank you for this helpful guidance, @pkqinys . I see that fbjs is gone in 0.10.0-rc5-beta. What is the stability of that version, given that it is only a release candidate? Can I pull it into production software?
It may be relevant that my work is also on a Facebook project.
I would recommend wait until we release the public version. babel-plugin-fbt@0.21.0-rc10-beta should be stable as it has been deployed to production at Meta for a while now. However babel-plugin-fbt-runtime@0.10.0-rc5-beta is not in production yet.
馃悰 Bug Report
According to Dependabot, babel-plugin-fbt-runtime@0.9.12 (through 0.10.0-rc5-beta) requires node-fetch@^1.0.1 via a transitive dependency on isomorphic-fetch@2.2.1. This version of node-fetch has a vulnerability that is fixed in 2.6.7 and later.
isomorphic-fetch is abandoned. Consumers of isomorphic-fetch are moving to an alternative project, cross-fetch. babel-plugin-fbt-runtime should too.
To Reproduce
Expected behavior
node-fetch should be at 2.6.7 or later
Link to repo (highly encouraged) or paste
For security reasons, I can't share this publically. Contact me offline (lucas@gonze.com).
Also...
I'd happily submit a patch but am baffled by the structure of this repo. LMK if you want the help.
The text was updated successfully, but these errors were encountered: