Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

Remove vulnerable version of cross-fetch #404

Merged
merged 1 commit into from
Apr 6, 2022
Merged

Conversation

wbt
Copy link
Contributor

@wbt wbt commented Feb 4, 2022

Closes #401.

@wbt wbt requested a review from a team as a code owner February 4, 2022 18:51
@wbt
Copy link
Contributor Author

wbt commented Feb 16, 2022

Error: #404, reviewer not found

@brianlenz
Copy link

Any chance we can get this merged and get a 16.0.4 release pushed?

@brianlenz
Copy link

brianlenz commented Mar 30, 2022

@wbt, you probably should run a yarn install with the change to get yarn.lock updated, too.

But having said that, I realized this alone won't solve the root of the issue, as it's also a transitive dependency from eth-json-rpc-infura This is actually a non-issue, as v16.0.3 uses a newer version that is unaffected.

https://github.com/MetaMask/web3-provider-engine/blob/main/yarn.lock#L3338

wbt added a commit to wbt/cross-fetch that referenced this pull request Apr 6, 2022
Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@wbt
Copy link
Contributor Author

wbt commented Apr 6, 2022

@brianlenz I've learned the hard way to exclude package-lock files from PRs to web3 projects. If a maintainer wants to do that, or if someone else wants to issue a PR against my branch awaiting a maintainer's indication that that can be merged first, fine, but I'm not going to sink my own PR by violating a rule like that.

Copy link
Contributor

@mcmire mcmire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I took a look and you're right, it seems like this dependency is no longer used. Seems like someone else in #400 had the same idea too. Thanks so much and sorry for the long delay on this.

@mcmire mcmire merged commit 3773de9 into MetaMask:main Apr 6, 2022
@wbt wbt deleted the patch-1 branch April 6, 2022 20:35
lquixada pushed a commit to lquixada/cross-fetch that referenced this pull request Apr 10, 2022
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
lquixada pushed a commit to lquixada/cross-fetch that referenced this pull request Apr 10, 2022
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@jeffwalsh
Copy link

is this available in a public version? i don't see a 16.0.4 with this change a @brianlenz was asking for above

@wbt
Copy link
Contributor Author

wbt commented Apr 29, 2022

No, there has not been a publish since the time this PR was merged. You could use a git ref if you really want to, but you'll miss future patches unless updating back after this does eventually get published.

@mcmire mcmire mentioned this pull request Apr 29, 2022
@mcmire
Copy link
Contributor

mcmire commented Apr 29, 2022

16.0.4 is now released with this change. Cheers!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cross-fetch can be removed from the dependece list
4 participants