Skip to content

Exposure of Sensitive Information to an Unauthorized Actor #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nbouvrette opened this issue Jan 22, 2022 · 4 comments · Fixed by #447
Closed

Exposure of Sensitive Information to an Unauthorized Actor #448

nbouvrette opened this issue Jan 22, 2022 · 4 comments · Fixed by #447

Comments

@nbouvrette
Copy link

Please update node-fetch to fix vulnerability issue:

node-fetch  <3.1.1
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
@nbouvrette nbouvrette mentioned this issue Jan 22, 2022
Closed
@wolfy1339
Copy link
Member

We cannot upgrade to v3 of node-fetch since it is now an ESM module.

However, we can upgrade to 2.6.7 which contains a backported fix for that vulnerability.

But, the octokit modules are unmaintained.
For more information, check out this discussion, and subscribe for any further updates.

Considering that, I am considering maybe pushing a hotfix for this vulnerability

@jbrunton
Copy link

@wolfy1339: Thank you for clarifying, and thanks in advance for the hotfix.

Is there any official line on whether Octokit will be maintained in future or deprecated? It's still listed as the official API library in the GitHub docs and I don't see any mention that it's deprecated in the readme.

@wolfy1339
Copy link
Member

Is there any official line on whether Octokit will be maintained in future or deprecated?

I'm only a volunteer community contributor. I don't have a line to GitHub.

Unfortunately, I don't have any further information.

@wolfy1339 wolfy1339 linked a pull request Jan 22, 2022 that will close this issue
fix(deps): bump node-fetch from 2.6.5 to 2.6.7 #447
Merged
wolfy1339 pushed a commit that referenced this issue Jan 22, 2022
@dependabot
fix(deps): bump node-fetch requirement to 2.6.7 (#447)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
9f82885 
Fixes #448
@github-actions
Copy link

🎉 This issue has been resolved in version 5.6.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): bump node-fetch from 2.6.5 to 2.6.7 octokit/request.js
3 participants
@jbrunton @wolfy1339 @nbouvrette