New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump node-fetch to 2.6.1 #8191
Bump node-fetch to 2.6.1 #8191
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello as told in the previous PRs the vulnerable code is not used but I have been able to test so merging ;)
@alexandrebodin Thanks for moving forward with it! Even if it's not used, it causes security vulnerability scanners to flag it, so this will reduce headaches for people who see the false positive :) |
node-fetch < 2.6.1 has a security vulnerability (GHSA-w7rc-rwvf-8q5r) This is a major version bump for strapi-plugin-upload (from 1.7.3), but it does not look like strapi-plugin-upload is relying on any of the functionality that has broken from 1.x to 2.x Signed-off-by: Dan Wendorf <dan@render.com>
3fdbf05
to
6788a2c
Compare
Whoops, sorry to clear the review, @alexandrebodin. I just force-pushed with a sign-off in the commit to make the DCO check pass. |
Codecov Report
@@ Coverage Diff @@
## master #8191 +/- ##
==========================================
- Coverage 32.96% 32.95% -0.02%
==========================================
Files 1197 1197
Lines 13020 13027 +7
Branches 1286 1286
==========================================
+ Hits 4292 4293 +1
- Misses 7885 7891 +6
Partials 843 843
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
Will wait for the tests to pass and merge ;) |
@alexandrebodin Since this PR has no code changes, I don't think the code coverage failures are actionable. Is there anything I should do here? |
Thank you for your contribution 👍 |
node-fetch < 2.6.1 has a security vulnerability
(GHSA-w7rc-rwvf-8q5r)
This is a major version bump for strapi-plugin-upload (from 1.7.3), but
it does not look like strapi-plugin-upload is relying on any of the
functionality that has broken from 1.x to 2.x
This covers the same change in #7975, but for more than strapi-generate-new.
This also covers three dependabot PRs that were closed without merging:
Description of what you did:
Bumped node-fetch in the packages that use it, to address a security vulnerability.