Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Switch isomorphic-fetch to cross-fetch #26876

Merged
merged 3 commits into from
Sep 14, 2020
Merged

Security: Switch isomorphic-fetch to cross-fetch #26876

merged 3 commits into from
Sep 14, 2020

Conversation

karlhorky
Copy link
Contributor

@karlhorky karlhorky commented Sep 12, 2020
edited

Description

This switches the dependency on the unmaintained isomorphic-fetch library, added in #24595, to use cross-fetch.

isomorphic-fetch has a dependency on an old version of node-fetch, which is currently affected by this security advisory: GHSA-w7rc-rwvf-8q5r

Documentation

No documentation - only a dependency switch.

Related Issues

Related to #24595

Related discussion: 694f9e6 (#26709)

@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Sep 12, 2020
@karlhorky karlhorky changed the title Remove unused isomorphic-fetch package Security: Remove unused isomorphic-fetch package Sep 12, 2020
@karlhorky
Copy link
Contributor Author

Oh it is being imported unusually - from another package (I see this has been done in 694f9e6).

I'll cherry-pick that and clean it up.

@karlhorky karlhorky changed the title Security: Remove unused isomorphic-fetch package Security: Switch isomorphic-fetch to cross-fetch Sep 12, 2020
@karlhorky karlhorky mentioned this pull request Sep 12, 2020
Closed
@sidharthachatterjee sidharthachatterjee added topic: npm* type: maintenance An issue or pull request describing a change that isn't a bug, feature or documentation change and removed status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer labels Sep 14, 2020
mxstbr
mxstbr approved these changes Sep 14, 2020
View reviewed changes
Copy link
Contributor

@mxstbr mxstbr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you for taking this on! 👍

It'd be nice to fully replace isomorphic-fetch from the monorepo eventually, it's currently still used in examples and tests. However, this is a great first step to ship!

@mxstbr mxstbr merged commit fd15a92 into gatsbyjs:master Sep 14, 2020
@karlhorky karlhorky deleted the patch-1 branch September 14, 2020 13:16
@karlhorky
Copy link
Contributor Author

Glad to help! Thanks for the merge 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mxstbr mxstbr mxstbr approved these changes

@laurieontech laurieontech Awaiting requested review from laurieontech

Assignees
No one assigned
Labels
type: maintenance An issue or pull request describing a change that isn't a bug, feature or documentation change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@karlhorky @mxstbr @sidharthachatterjee @hoobdeebla