Exposure of Sensitive Information to an Unauthorized Actor

[nbouvrette]

Please update node-fetch to fix vulnerability issue:

node-fetch  <3.1.1
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g

[wolfy1339]

We cannot upgrade to v3 of node-fetch since it is now an ESM module.

However, we can upgrade to 2.6.7 which contains a backported fix for that vulnerability.

But, the octokit modules are unmaintained.
For more information, check out this discussion, and subscribe for any further updates.

Considering that, I am considering maybe pushing a hotfix for this vulnerability

[jbrunton]

@wolfy1339: Thank you for clarifying, and thanks in advance for the hotfix.

Is there any official line on whether Octokit will be maintained in future or deprecated? It's still listed as the official API library in the GitHub docs and I don't see any mention that it's deprecated in the readme.

[wolfy1339]

Is there any official line on whether Octokit will be maintained in future or deprecated?

I'm only a volunteer community contributor. I don't have a line to GitHub.

Unfortunately, I don't have any further information.

[github-actions]

🎉 This issue has been resolved in version 5.6.3 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀