ViewBlock
Found 3 vulnerabilities
By installing the package I get the vulnerabilities found warning message from NPM. These seems not to be fixable by a simple npm audit fix, which returns:
# npm audit report
node-fetch <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/isomorphic-fetch/node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
binance-api-node >=0.0.1
Depends on vulnerable versions of isomorphic-fetch
node_modules/binance-api-node
3 vulnerabilities (2 low, 1 high)
To address all issues (including breaking changes), run:
npm audit fix --force
I don't like the Idea of the --force flag, while the issue could be addressed by updating the packages on the main repo.
Agree that it's an issue, but would only be concerning if the lib was targeting untrusted sources which would use this redirect vuln. We could switch to got eventually, but I'd prefer to keep some client support too so rely on global fetch or a polyfill? tbd
I agree that it's not a dangerous issue for how it is being used. Just wanted to pin it up, so in the future might be addressed 😊
Btw, great job with this library 🚀
