backstage icon indicating copy to clipboard operation
backstage copied to clipboard
verified publisher icon backstage

Snyk vulnerability [SNYK-JS-NODEFETCH-2342118]

Open github-actions[bot] opened this issue 2 years ago • 4 comments

Affecting Packages/Plugins

  • @backstage/plugin-graphql-voyager

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References

github-actions[bot] avatar Aug 11 '23 00:08 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 10 '23 00:10 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Dec 11 '23 09:12 github-actions[bot]

This needs a MUI v5 bump to get rid of the @material-ui/core > recompose > fbjs > isomorphic-fetch > node-fetch dependency

Rugvip avatar Dec 12 '23 10:12 Rugvip

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Feb 10 '24 10:02 github-actions[bot]