New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: current version of node-fetch has high severity vulnerability CVE-2022-0235 #7921
Comments
In particular, since Puppeteer pins exact dependency versions, GitHub and various tools will assume that any other version of a transitive dependency is incompatible: Also note that:
So this isn't exactly easy to address in downstream codebases without a new Puppeteer version that avoids the vulnerable dependency versions. A comment by @jschfflr #7717 (comment) suggests that a simple upgrade might have compatibility issues:
|
Updating to v2.6.7 fixes the issue |
For several hours, the GitHub CVE/tooling reported that this was only fixed in node-fetch@3.1.1. It is also fixed in node-fetch@2.6.7 and GitHub/npm tooling and materials have been updated to show that, so this should be a pretty straightforward/easy fix at this point. |
Should be fixed by #7924 |
#7924 has fixed it but it won't be patchable by dependabot without a new patch release. |
Can we also patch the other major versions? I mean, cherry-pick 2a8d94c
In my use case, we are running the v93 version of chromium as it is available on latest alpine. |
Following the PR discussion(#7924), I end up using the overrides feature from npm 8.3+ and added to
|
I don't think it's been mentioned here yet, but https://github.com/puppeteer/puppeteer/releases/tag/v13.1.2 Thanks, @OrKoN! ❤️ |
Bug description
Steps to reproduce the problem:
See CVE-2022-0235
Puppeteer version
13.1.1
Node.js version
16
npm version
8.1
What operating system are you seeing the problem on?
Linux, Windows
Relevant log output
No response
Edit: patch released https://github.com/puppeteer/puppeteer/releases/tag/v13.1.2
The text was updated successfully, but these errors were encountered: