Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update away from vulnerable version of node-fetch #135

Merged
merged 1 commit into from
Apr 10, 2022

Conversation

wbt
Copy link

@wbt wbt commented Apr 6, 2022

Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404

Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022

This pull request doesn’t change much. "^2.6.1" means >= 2.6.1 && < 3, so version 2.6.7 is installed anyways.

The mentioned patch, MetaMask/web3-provider-engine#404, is different because here the version number isn’t prefixed by a caret (^).

@lquixada
Copy link
Owner

lquixada commented Apr 10, 2022

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release. Thanks @wbt

@lquixada lquixada merged commit 6ae9201 into lquixada:2.x Apr 10, 2022
lquixada pushed a commit that referenced this pull request Apr 10, 2022
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022

It seems an important change: ensuring 2.6.7 as the minimum version for node-fetch as it's a security patch release.

Good point. You're right and I was wrong.

@janaagaard75
Copy link

janaagaard75 commented Apr 10, 2022

Curious: Why does the package.json has a caret in the version number, when the one here in this repo does not? Is there another release of cross-fetch that allows updates to the dependencies?

@lquixada
Copy link
Owner

Using a caret has its pros and cons. I feel there's no clear answer but here's a few insights: #129 (comment).

@janaagaard75
Copy link

Thanks for the update, @lquixada. I had missed that #132 had been merged. Sorry for the noise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants