Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update away from vulnerable version of node-fetch #135

Merged
merged 1 commit into from
Apr 10, 2022
Merged

Update away from vulnerable version of node-fetch #135

merged 1 commit into from
Apr 10, 2022

Conversation

wbt
Copy link

@wbt wbt commented Apr 6, 2022

Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404

@wbt
Update away from vulnerable version of node-fetch
832f946 
Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited
Loading

This pull request doesn’t change much. "^2.6.1" means >= 2.6.1 && < 3, so version 2.6.7 is installed anyways.

The mentioned patch, MetaMask/web3-provider-engine#404, is different because here the version number isn’t prefixed by a caret (^).

@lquixada
Copy link
Owner

lquixada commented Apr 10, 2022
edited
Loading

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release. Thanks @wbt

@lquixada lquixada merged commit 6ae9201 into lquixada:2.x Apr 10, 2022
lquixada pushed a commit that referenced this pull request Apr 10, 2022
@wbt @lquixada
Update away from vulnerable version of node-fetch (#135)
eac6c00 
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited
Loading

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release.

Good point. You're right and I was wrong.

@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022
edited
Loading

Curious: Why does the package.json has a caret in the version number, when the one here in this repo does not? Is there another release of cross-fetch that allows updates to the dependencies?

@lquixada
Copy link
Owner

Using a caret has its pros and cons. I feel there's no clear answer but here's a few insights: #129 (comment).

@janaagaard75
Copy link

Thanks for the update, @lquixada. I had missed that #132 had been merged. Sorry for the noise.

@wbt wbt deleted the patch-1 branch April 11, 2022 17:02
@cysp cysp mentioned this pull request May 3, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wbt @janaagaard75 @lquixada