Security vulnerability with cross-fetch in fbjs #471
Comments
|
I arrived at this issue after tracing that vulnerability through to three other Facebook open source projects. This is a pressing issue. The latest version of cross-fetch has upgraded from the vulnerable version of node-fetch. The version used in fbjs ("cross-fetch": "^3.0.4") is upwards compatible by semver with the patched version (3.1.5). |
lucasgonze
added a commit
to lucasgonze/fbjs
that referenced
this issue
Feb 9, 2022
Closes facebook#471 "Security vulnerability with cross-fetch in fbjs" Signed-off-by: Lucas Gonze <lucas@gonze.com>
lucasgonze
added a commit
to lucasgonze/fbjs
that referenced
this issue
Feb 9, 2022
Closes facebook#471 "Security vulnerability with cross-fetch in fbjs" Bumps fbjs version to 3.0.3 to enable this change to get picked up. Signed-off-by: Lucas Gonze <lucas@gonze.com>
|
Thanks for the PR. By the way, I informed Facebook's security team about the issue. They said they would put extra priority on it, so hopefully you will get a review soon. |
|
FWIW, our team does a lot of bumps like this in another FB open source project and could possibly be tasked with fbjs items. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In fbjs you have a dependency on cross-fetch version 3.0.4 , see https://github.com/facebook/fbjs/blob/main/packages/fbjs/package.json
This version has a vulnerability because it depends on a vulnerable version of node-fetch: GHSA-r683-j2x4-v87g
The package.json should be updated to use cross-fetch 3.1.5, which has an updated version of node-fetch that fixes the vulnerability.
The text was updated successfully, but these errors were encountered: