New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PouchDB relying on vulnerable version of node-fetch #8440
Comments
Resolves a vulnerability present in versions of node-fetch less than 2.6.7
PR 8448 should resolve the vulnerable dependency |
@karlwestin it might not really be up to you, but do you have any idea when we might get a release with the PR that resolves this issue? Thanks |
Same. I am waiting for this update to update my apparatus. |
Also would love to see a fix. Given that the "hard" part (fixing it in the codebase) is already done and just needs to land in a published version, it's a little hard not to see the current situation as Node that |
Resolves a vulnerability present in versions of node-fetch less than 2.6.7
|
Any update on that release? 😃 |
poke 🥺 |
It's landed: https://pouchdb.com/2022/04/13/pouchdb-7.3.0.html |
Issue
PouchDB relies upon a vulnerable version of node-fetch. PouchDB's package.json has the node-fetch dependency pinned at 2.6.0 as of v7.2.2. It looks like master has it pinned at 2.6.4. The vulnerability was patched in node-fetch 2.6.7
Info
Reproduce
npm audit
Expected: No vulnerabilities
Actual: node-fetch vulnerabilities in pouchdb, pouchdb-find, pouchdb-fetch, and pouchdb-abstract-mapreduce
The text was updated successfully, but these errors were encountered: