Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node-fetch vulnerability causing build pipeline failure #58

Closed
dhruveshsheladiya opened this issue Jun 30, 2022 · 2 comments
Closed

node-fetch vulnerability causing build pipeline failure #58

dhruveshsheladiya opened this issue Jun 30, 2022 · 2 comments

Comments

@dhruveshsheladiya
Copy link

dhruveshsheladiya commented Jun 30, 2022
edited

Our ADO build pipeline is failing at the Component Governance step due to High severity vulnerability in the Node-Fetch version 2.6.1. Component governance shows the due date to resolve this npm package 2022-06-16T20:09:00.2569253Z and since this deadline passed, build pipelines are failing and that stops us from deploying any changes related to the new LCW to staging or production.

node-fetch is being used by package @azure/core-http and @azure/core-http is being used by two different packages:

image

Component Governance error:

image
@charliewang95
Copy link
Member

charliewang95 commented Jun 30, 2022
edited

We also have an ADO pipeline but this hasn't popped up. @dhruveshsheladiya Could you share the CG alert link and suggested steps explained in the alert?

@sarojkpr
Copy link
Contributor

sarojkpr commented Jul 1, 2022

This has been fixed after upgrading the node-fetch package version by running npm update node-fetch

@sarojkpr sarojkpr closed this as completed Jul 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhruveshsheladiya @charliewang95 @sarojkpr