CVE-2020-15168 found in [email protected]

[leonidio-com]

CVE-2020-15168 found in [email protected]
CVE-2020-15168 is fixed in "node-fetch": "^2.6.1"
Is there a chance to update it in flux?
+-- [email protected]
| +-- [email protected]
| | -- [email protected] deduped | -- [email protected]
| +-- [email protected]
| +-- [email protected]
| | +-- [email protected]

[jigalovd]

we have same issue with [email protected]

any update?

[TomBrien]

facebook/docusaurus also has this vulnerability for the same reason. Bumping fbjs (currently two major versions behind) would fix

[hugoboos]

Appreciated if this is fixed.

[Kenzku]

Hej, I saw the release number is still 3.1.3 but that was nearly 3 years ago. Any plan for a minor release please?

[yangshun]

Yeah we'll try to make a release this week.

[janetwang1]

Yeah we'll try to make a release this week.

any update on this issue? will you be able to make a release soon?

Thanks

Janet

[yangshun]

It has been released

[Kenzku]

@yangshun how about this: facebook/fbjs#412

[leonidio-com]

@yangshun
I am still seeing this here:

+-- [email protected]
| +-- [email protected]
| | `-- [email protected]
| |   +-- [email protected]
| |   +-- [email protected]
| |   | +-- [email protected]

I was thinking the whole point of this issue was to make node-fetch >= 2.6.1
Is there a chance we could address that?

[yangshun]

We need fbemitter to upgrade the fbjs version it uses but it has already been archived. I'll see what I can do internally to maybe upgrade fbemitter.

[Kenzku]

@yangshun Thanks for investigating on it

[yangshun]

I got fbemitter unarchived, upgraded deps and published v3.0.0. Then I updated flux to use [email protected] and released v4.0.1.

Should be fine now!

[Kenzku]

@yangshun thanks so much. I will sync up with my team the next working day.