PouchDB relying on vulnerable version of node-fetch

[rdwoodring]

Issue

PouchDB relies upon a vulnerable version of node-fetch. PouchDB's package.json has the node-fetch dependency pinned at 2.6.0 as of v7.2.2. It looks like master has it pinned at 2.6.4. The vulnerability was patched in node-fetch 2.6.7

Info

• Environment: Node & browser
• Platform: All
• Adapter: All
• Server: All
• Version: 7.2.2

Reproduce

1. Run npm audit

Expected: No vulnerabilities
Actual: node-fetch vulnerabilities in pouchdb, pouchdb-find, pouchdb-fetch, and pouchdb-abstract-mapreduce

[joemc11]

This is a high vulnerability, so would be great to get this fixed and published. What is the estimated time frame for this fix.

[rdwoodring]

PR 8448 should resolve the vulnerable dependency

[rdwoodring]

@karlwestin it might not really be up to you, but do you have any idea when we might get a release with the PR that resolves this issue?

Thanks

[AuracleTech]

Any idea when we might get a release with the PR that resolves this issue?

Same. I am waiting for this update to update my apparatus.

[lgarron]

Any idea when we might get a release with the PR that resolves this issue?

Same. I am waiting for this update to update my apparatus.

Also would love to see a fix. Given that the "hard" part (fixing it in the codebase) is already done and just needs to land in a published version, it's a little hard not to see the current situation as pouchdb effectively being unmaintained. :-/

Node that npm audit fix --force would actually downgrade to pouch-db@7.0.0, which doesn't sound great.

[AlbaHerrerias]

node-fetch was upgraded to 2.6.7 in this PR #8448 and merged to master, therefore I'm closing this issue. We're working in a new release, it will land soon. Thank you.

[lgarron]

Any update on that release? 😃

[lgarron]

We're working in a new release, it will land soon. Thank you.

poke 🥺
Is this still planned?

[garethbowen]

It's landed: https://pouchdb.com/2022/04/13/pouchdb-7.3.0.html