1

I have a node-module called node-fetch which is producing a Denial of Service security vulnerability. The only way to fix this is to update it to version 2.6.1. When I run npm ls node-fetch I can see that it's a dependency of swagger-ui.

`-- swagger-ui@3.23.11
  +-- react@15.6.2
  | `-- fbjs@0.8.17
  |   `-- isomorphic-fetch@2.2.1
  |     `-- node-fetch@1.7.3  deduped
  `-- swagger-client@3.9.4
    `-- cross-fetch@0.0.8
      `-- node-fetch@1.7.3

I tried npm install swagger-ui@latest to see if that would fix the issue, but it did not. I also tried editing the version in package-lock.json but it reverts when running npm install

I am very new to fixing security vulnerabilities so I don't know exactly what to do here.

Anything helps! Cheers

bocodes
  • 387
  • 1
  • 4
  • 12
  • 1
    Related issue in Swagger UI repo: https://github.com/swagger-api/swagger-ui/issues/6437 – Helen Mar 02 '21 at 18:19
  • 1
    Does this help? [How do I override nested NPM dependency versions?](https://stackoverflow.com/q/15806152/113116), [npm equivalent of yarn resolutions?](https://stackoverflow.com/q/52416312/113116) – Helen Mar 02 '21 at 18:31
  • @Helen I tried the [resolutions method](https://www.npmjs.com/package/npm-force-resolutions) and got this in return after running `npm install` and `npm ls node-fetch`: `npm ERR! invalid: node-fetch@2.6.1` – bocodes Mar 02 '21 at 20:13

2 Answers2

0

As a solution, I can suggest adding the resolutions to your package.json

{
....

  "dependencies": {
     ...
     "swagger-ui": "3.23.11",
     ...
  },
  "resolutions": {
    "node-fetch": "2.6.1"
  }
}
CyberEternal
  • 2,259
  • 2
  • 12
  • 31
  • I tried the resolutions method and got this in return after running `npm install` and `npm ls node-fetch`: npm ERR! invalid: node-fetch@2.6.1 – bocodes Mar 03 '21 at 14:12
0

As of npm 8.3.0, you should be able to add this to your package.json to fix the issue.

"overrides": {
    "node-fetch": "^2.6.7"
},

This tells the installer to override any npm-fetch installed version with version 2.6.7 or any minor release that came this version (e.g. 2.6.8 would be allowed but 3.0.0 would not).

Kameron Blackthorn
  • 1