Vulnerability in node-fetch - DoS
Hermanverschooten opened this issue · comments
I just pushed a project using @dillonkearns/elm-graphql and got a warning from Github about a security vulnerability.
I ran npm audit
and this was the result:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @dillonkearns/elm-graphql [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @dillonkearns/elm-graphql > graphql-request > cross-fetch > │
│ │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 881 scanned packages
1 vulnerability requires manual review. See the full report for details.
This is apparently fixed in the latest version of graphql-request
, I would love to send a PR, but know nothing about your package's internals, and what it may break.
Do you have elm-graphql installed as a dev dependency or a regular dependency? It's worth noting that the graphql-request
code doesn't end up in your application, it's just used to run the CLI task in your build step. I'm not sure if the npm audit makes a distinction between dev vs. prod dependencies or not.
I have it as a dev dependency. But it is not just npm audit
, it's also GitHub that complains every time I push my code.