fix: swap isomorphic-fetch for node-fetch for security issue (#96)
* fix: swap isomorphic-fetch for cross-fetch for security issue
See #95
* fix: swap cross-fetch with node-fetch@^2.6.7
* temp change(debug): output wskdebug --ngrok myaction to see error message
* Revert "temp change(debug): output wskdebug --ngrok myaction to see error message"
This reverts commit bcae6b542ff412fc0336a39e8ff251738d584d76.
* fix: add --legacy-peer-deps to the wskdebug install in the Dockerfile
node-lts (node-16) by default includes npm@7 which installs peer dependencies by default. Adding this flag will not install peer dependencies.
* remove --legacy--peer-deps from Dockerfile
* update package-lock.json
diff --git a/package-lock.json b/package-lock.json
index f362cd4..886aa51 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -18,9 +18,9 @@
"fs-extra": "^8.1.0",
"get-port": "^5.1.1",
"is-port-reachable": "^3.0.0",
- "isomorphic-fetch": "^3.0.0",
"livereload": "^0.9.1",
"manakin": "^0.5.2",
+ "node-fetch": "^2.6.7",
"openwhisk": "^3.21.4",
"ora": "^4.0.3",
"pretty-bytes": "^5.3.0",
@@ -2230,15 +2230,6 @@
"integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=",
"dev": true
},
- "node_modules/isomorphic-fetch": {
- "version": "3.0.0",
- "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-3.0.0.tgz",
- "integrity": "sha512-qvUtwJ3j6qwsF3jLxkZ72qCgjMysPzDfeV240JHiGZsANBYd+EEuu35v7dfrJ9Up0Ak07D7GGSkGhCHTqg/5wA==",
- "dependencies": {
- "node-fetch": "^2.6.1",
- "whatwg-fetch": "^3.4.1"
- }
- },
"node_modules/istanbul-lib-coverage": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.0.0.tgz",
@@ -3174,11 +3165,22 @@
}
},
"node_modules/node-fetch": {
- "version": "2.6.1",
- "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
- "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
+ "version": "2.6.7",
+ "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+ "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+ "dependencies": {
+ "whatwg-url": "^5.0.0"
+ },
"engines": {
"node": "4.x || >=6.0.0"
+ },
+ "peerDependencies": {
+ "encoding": "^0.1.0"
+ },
+ "peerDependenciesMeta": {
+ "encoding": {
+ "optional": true
+ }
}
},
"node_modules/node-preload": {
@@ -4232,15 +4234,6 @@
"uuid": "^3.3.2"
}
},
- "node_modules/teeny-request/node_modules/node-fetch": {
- "version": "2.6.1",
- "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
- "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
- "dev": true,
- "engines": {
- "node": "4.x || >=6.0.0"
- }
- },
"node_modules/test-exclude": {
"version": "6.0.0",
"resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-6.0.0.tgz",
@@ -4299,6 +4292,11 @@
"node": ">=8.0"
}
},
+ "node_modules/tr46": {
+ "version": "0.0.3",
+ "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+ "integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
+ },
"node_modules/tslib": {
"version": "1.11.1",
"resolved": "https://registry.npmjs.org/tslib/-/tslib-1.11.1.tgz",
@@ -4397,10 +4395,19 @@
"defaults": "^1.0.3"
}
},
- "node_modules/whatwg-fetch": {
- "version": "3.5.0",
- "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.5.0.tgz",
- "integrity": "sha512-jXkLtsR42xhXg7akoDKvKWE40eJeI+2KZqcp2h3NsOrRnDvtWX36KcKl30dy+hxECivdk2BVUHVNrPtoMBUx6A=="
+ "node_modules/webidl-conversions": {
+ "version": "3.0.1",
+ "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+ "integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
+ },
+ "node_modules/whatwg-url": {
+ "version": "5.0.0",
+ "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+ "integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
+ "dependencies": {
+ "tr46": "~0.0.3",
+ "webidl-conversions": "^3.0.0"
+ }
},
"node_modules/which": {
"version": "1.3.1",
@@ -6457,15 +6464,6 @@
"integrity": "sha1-6PvzdNxVb/iUehDcsFctYz8s+hA=",
"dev": true
},
- "isomorphic-fetch": {
- "version": "3.0.0",
- "resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-3.0.0.tgz",
- "integrity": "sha512-qvUtwJ3j6qwsF3jLxkZ72qCgjMysPzDfeV240JHiGZsANBYd+EEuu35v7dfrJ9Up0Ak07D7GGSkGhCHTqg/5wA==",
- "requires": {
- "node-fetch": "^2.6.1",
- "whatwg-fetch": "^3.4.1"
- }
- },
"istanbul-lib-coverage": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.0.0.tgz",
@@ -7225,9 +7223,12 @@
}
},
"node-fetch": {
- "version": "2.6.1",
- "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
- "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw=="
+ "version": "2.6.7",
+ "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
+ "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
+ "requires": {
+ "whatwg-url": "^5.0.0"
+ }
},
"node-preload": {
"version": "0.2.1",
@@ -8037,14 +8038,6 @@
"node-fetch": "^2.2.0",
"stream-events": "^1.0.5",
"uuid": "^3.3.2"
- },
- "dependencies": {
- "node-fetch": {
- "version": "2.6.1",
- "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz",
- "integrity": "sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==",
- "dev": true
- }
}
},
"test-exclude": {
@@ -8093,6 +8086,11 @@
"is-number": "^7.0.0"
}
},
+ "tr46": {
+ "version": "0.0.3",
+ "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+ "integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o="
+ },
"tslib": {
"version": "1.11.1",
"resolved": "https://registry.npmjs.org/tslib/-/tslib-1.11.1.tgz",
@@ -8178,10 +8176,19 @@
"defaults": "^1.0.3"
}
},
- "whatwg-fetch": {
- "version": "3.5.0",
- "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.5.0.tgz",
- "integrity": "sha512-jXkLtsR42xhXg7akoDKvKWE40eJeI+2KZqcp2h3NsOrRnDvtWX36KcKl30dy+hxECivdk2BVUHVNrPtoMBUx6A=="
+ "webidl-conversions": {
+ "version": "3.0.1",
+ "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+ "integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE="
+ },
+ "whatwg-url": {
+ "version": "5.0.0",
+ "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+ "integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=",
+ "requires": {
+ "tr46": "~0.0.3",
+ "webidl-conversions": "^3.0.0"
+ }
},
"which": {
"version": "1.3.1",
diff --git a/package.json b/package.json
index 228fa27..cfb6995 100644
--- a/package.json
+++ b/package.json
@@ -52,9 +52,9 @@
"fs-extra": "^8.1.0",
"get-port": "^5.1.1",
"is-port-reachable": "^3.0.0",
- "isomorphic-fetch": "^3.0.0",
"livereload": "^0.9.1",
"manakin": "^0.5.2",
+ "node-fetch": "^2.6.7",
"openwhisk": "^3.21.4",
"ora": "^4.0.3",
"pretty-bytes": "^5.3.0",
diff --git a/src/invoker.js b/src/invoker.js
index e0cdf37..1ff094b 100644
--- a/src/invoker.js
+++ b/src/invoker.js
@@ -17,7 +17,7 @@
'use strict';
-const fetch = require('fetch-retry')(require('isomorphic-fetch'));
+const fetch = require('fetch-retry')(require('node-fetch'));
const kinds = require('./kinds/kinds');
const path = require('path');
const log = require("./log");
diff --git a/test/ngrok.test.js b/test/ngrok.test.js
index 88e2c4b..bb3dce6 100644
--- a/test/ngrok.test.js
+++ b/test/ngrok.test.js
@@ -24,7 +24,7 @@
const assert = require('assert');
const nock = require('nock');
-const fetch = require('isomorphic-fetch');
+const fetch = require('node-fetch');
const mockRequire = require('mock-require');
function mockNgrokLibrary(connect, kill) {
