NPM audit advisory 1556 due to node-fetch dependency

[restfulhead]

Q&A

• Method of installation: npm
• Swagger-UI version: 3.34.0

Expected behavior

npm audit should not report any issues.

Actual behaviour

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-ui > react > create-react-class > fbjs >             │
│               │ isomorphic-fetch > node-fetch                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-ui > react-redux > create-react-class > fbjs >       │
│               │ isomorphic-fetch > node-fetch                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-ui > react > fbjs > isomorphic-fetch > node-fetch    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-ui                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-ui > react-dom > fbjs > isomorphic-fetch >           │
│               │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Additional notes

Downstream issue: facebook/react#19840
Downstream root issue: matthew-andrews/isomorphic-fetch#189

Guess we'll have to wait until isomorphic-fetch releases a 2.x version.

[tim-lai]

@restfulhead Yup, it's on our radar, and as you noted, we need to wait for a isomorphic-fetch@2.x release. Thanks for bringing this to our attention.

[shagun777]

Hi Is there any update on this issue as we are not able to build the branch because of this issue because jenkins fails our build.

[restfulhead]

There's a new release of create-react-class@15.7.0 that removes the outdated dependency. Are there plans for swagger-ui to upgrade to the new version?

[restfulhead]

@tim-lai Any updates?

[bomeers]

@tim-lai Any updates?

@tim-lai I am also curious if this has been updated.

[tim-lai]

To those tracking this issue, here is some background:

This is most likely a false positive via the React@15 library, specifically with fbjs, but we can't guarantee it. In the other dependency instances that SwaggerUI uses node-fetch, the library authors have been able to migrate to node-fetch@2.6.1

SwaggerUI has a sub-dependencies that uses a version of fbjs which uses isomorphic-fetch@2.x. Moving to isomorphic-fetch@3 is a breaking semver change to fbjs and any upstream dependencies. The React team has requested a minor version bump of isomorphic-fetch@2.x, but atm, it does not look like it will happen. It also appears that the React team will not do a minor version change to fbjs.

I'm keeping this ticket open for now, hoping that we will eventually get a minor version update from either fbjs or isomorphic-fetch.

References:

facebook/react#19840
facebook/fbjs#402
matthew-andrews/isomorphic-fetch#189

---

FYI, this is the current result of npm audit for node-fetch

# Run  npm install react@17.0.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react > fbjs > isomorphic-fetch > node-fetch                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run  npm install react-dom@17.0.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-dom                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-dom > fbjs > isomorphic-fetch > node-fetch             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install --save-dev react-test-renderer@17.0.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-test-renderer [dev]                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-test-renderer > fbjs > isomorphic-fetch > node-fetch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[ThomasLEnablon]

Hello @tim-lai, is there any plans on your part to update your dependencies for the remaining packages you mention as a result of the npm audit ? As this would mean bumping your react version by one major, I know it would be quite an endeavor but still asking. Thanks

[char0n]

All these issues were addressed during v4 release effort. Using Node.js@16.8.x and running following command:

 $ npm audit --verbose --production

produces

found 0 vulnerabilities

We know we have some vulnerabilities in our development dependencies, but they pose no risk to the swagger-ui npm distribution. I'm closing this issue as IMHO the original subject has been addressed (reopen if I'm mistaken).