please update node-fetch to 3 latest.

[JustFly1984]

I'm using yarn and resolutions field in package.json to enforce node-fetch@3.2.0 to all other my app dependencies, and sync-fetch is failing, as part of @graphql-tools/apollo-engine-loader@^7.0.5 and/or @graphql-tools/github-loader@^7.0.5

/project/node_modules/sync-fetch/index.js:4
const _fetch = require('node-fetch')
               ^

Error [ERR_REQUIRE_ESM]: require() of ES Module /project/node_modules/node-fetch/src/index.js from /project/node_modules/sync-fetch/index.js not supported.
Instead change the require of /project/node_modules/node-fetch/src/index.js in /project/node_modules/sync-fetch/index.js to a dynamic import() which is available in all CommonJS modules.
    at Object.<anonymous> (/project/node_modules/sync-fetch/index.js:4:16)
    at Object.<anonymous> (/project/node_modules/@graphql-tools/url-loader/index.js:38:43)
    at Object.<anonymous> (/project/node_modules/graphql-config/index.js:14:19)
    at Object.<anonymous> (/project/node_modules/@graphql-codegen/cli/bin.js:42:23) {
  code: 'ERR_REQUIRE_ESM'
}

Trying to keep my dependencies without vulnerabilities in prod.

[larsgw]

node-fetch@3 introduces too many breaking changes for me at the moment, but from what I understood 2.6.7 also fixed the security vulnerability.

[larsgw]

Specifically, see this excerpt from the v3 upgrade guide:

This module was converted to be a ESM only package in version 3.0.0-beta.10. node-fetch is an ESM-only module - you are not able to import it with require. We recommend you stay on v2 which is built with CommonJS unless you use ESM yourself. We will continue to publish critical bug fixes for it.

Since the package is not ESM-only it cannot use node-fetch v3.