-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability with cross-fetch in fbjs #471
Comments
I arrived at this issue after tracing that vulnerability through to three other Facebook open source projects. This is a pressing issue. The latest version of cross-fetch has upgraded from the vulnerable version of node-fetch. The version used in fbjs ("cross-fetch": "^3.0.4") is upwards compatible by semver with the patched version (3.1.5). |
Closes facebook#471 "Security vulnerability with cross-fetch in fbjs" Signed-off-by: Lucas Gonze <lucas@gonze.com>
Closes facebook#471 "Security vulnerability with cross-fetch in fbjs" Bumps fbjs version to 3.0.3 to enable this change to get picked up. Signed-off-by: Lucas Gonze <lucas@gonze.com>
Thanks for the PR. By the way, I informed Facebook's security team about the issue. They said they would put extra priority on it, so hopefully you will get a review soon. |
FWIW, our team does a lot of bumps like this in another FB open source project and could possibly be tasked with fbjs items. |
In fbjs you have a dependency on cross-fetch version 3.0.4 , see https://github.com/facebook/fbjs/blob/main/packages/fbjs/package.json
This version has a vulnerability because it depends on a vulnerable version of node-fetch: GHSA-r683-j2x4-v87g
The package.json should be updated to use cross-fetch 3.1.5, which has an updated version of node-fetch that fixes the vulnerability.
The text was updated successfully, but these errors were encountered: