Tag a new version with the security fix #191
Comments
|
yes, please fix this 🙏 |
|
Yes, that would be really great! |
|
Ah yes indeed, this is the plan … have you tested it … are you confident that it works for you all? |
|
Would be great for a new release with node-fetch updated |
|
@matthew-andrews As it is still a new version and due to node's dependency mechanism users will not directly update if they don't actively do it via package.json or recreating a lockfile, I would say, just release it. |
|
Dear @matthew-andrews, as @cberg-zalando mentioned, nobody has to apply the new version and we (our team) would really appreciate you to release an updated version of isomorphic-fetch as it is the only simple way to keep our live product secure. We really do rely on this. Thanks and with best regards |
|
@matthew-andrews I just tested it in one of my projects. I cloned the repository and linked it as a resolution in my project. With the new version everything worked the same as before. This is obviously not an in depth test but maybe already gives some more certainty. |
|
Could you, please, release the new version. The last released version 2.2.1 is from 5 years ago. |
|
+1 |
|
@matthew-andrews when a new tag release? |
|
Thanks for your testing @lkuechler … it matches what I see. It has been published at v3.0.0 as the underlying dependencies (node-fetch and the fetch browser polyfill) have been pulled from new major versions. |
I see that you updated your node-fetch dependency a couple of hours ago to fix a minor security vulnerability. I'm here looking for an updated version because I received the same vulnerability notification from
... So I'm probably not the only one looking for a new version of isomorphic-fetch that I can slap into my package.json to make the alert go away. :)
The text was updated successfully, but these errors were encountered: