Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: current version of node-fetch has high severity vulnerability CVE-2022-0235 #7921

Closed
humble-barnacle001 opened this issue Jan 22, 2022 · 8 comments
Closed

[Bug]: current version of node-fetch has high severity vulnerability CVE-2022-0235 #7921

humble-barnacle001 opened this issue Jan 22, 2022 · 8 comments
Labels
bug

Comments

@humble-barnacle001
Copy link

humble-barnacle001 commented Jan 22, 2022
edited

Bug description

Steps to reproduce the problem:

  1. npm audit

See CVE-2022-0235

Puppeteer version

13.1.1

Node.js version

16

npm version

8.1

What operating system are you seeing the problem on?

Linux, Windows

Relevant log output

No response

Edit: patch released https://github.com/puppeteer/puppeteer/releases/tag/v13.1.2
@arjangeertsema arjangeertsema mentioned this issue Jan 22, 2022
Closed
@lgarron
Copy link

lgarron commented Jan 22, 2022
edited

In particular, since Puppeteer pins exact dependency versions, GitHub and various tools will assume that any other version of a transitive dependency is incompatible:

Screen Shot 2022-01-22 at 14 41 05

Also note that:

  • npm install node-fetch@3.1.1 will not address the security alert from npm audit.
  • npm audit fix --force will downgrade Puppeteer to v5.3.1 to avoid the vuln.

So this isn't exactly easy to address in downstream codebases without a new Puppeteer version that avoids the vulnerable dependency versions.

A comment by @jschfflr #7717 (comment) suggests that a simple upgrade might have compatibility issues:

@jackfranklin It looks like node-fetch only supports esm starting with v 3.0.

@humble-barnacle001
Copy link
Author

Updating to v2.6.7 fixes the issue

@Trott
Copy link

Trott commented Jan 23, 2022

For several hours, the GitHub CVE/tooling reported that this was only fixed in node-fetch@3.1.1. It is also fixed in node-fetch@2.6.7 and GitHub/npm tooling and materials have been updated to show that, so this should be a pretty straightforward/easy fix at this point.

@RomainNeup RomainNeup mentioned this issue Jan 23, 2022
Merged
@humble-barnacle001
Copy link
Author

Should be fixed by #7924

@PythonCoderAS
Copy link

#7924 has fixed it but it won't be patchable by dependabot without a new patch release.

@arjangeertsema arjangeertsema mentioned this issue Jan 25, 2022
Open
@drealecs
Copy link

drealecs commented Jan 25, 2022
edited

Can we also patch the other major versions? I mean, cherry-pick 2a8d94c
As per https://github.com/puppeteer/puppeteer/blob/main/docs/api.md that means:

  • 11.0.0 to 11.0.1 as the last one supporting v93 chromium.
  • 12.0.1 to 12.0.2 as the last one supporting v97 chromium.

In my use case, we are running the v93 version of chromium as it is available on latest alpine.

@drealecs
Copy link

drealecs commented Jan 25, 2022
edited

Following the PR discussion(#7924), I end up using the overrides feature from npm 8.3+ and added to package.json:

  "overrides": {
    "puppeteer": {
      "node-fetch@2.6.5": "2.6.7"
    }
  },

@lgarron
Copy link

lgarron commented Jan 26, 2022

I don't think it's been mentioned here yet, but v13.1.2 is out with the dependency update:

https://github.com/puppeteer/puppeteer/releases/tag/v13.1.2

Thanks, @OrKoN! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@drealecs @lgarron @Trott @PythonCoderAS @humble-barnacle001