CVE-2022-0235 - node-fetch (peer dependency via isomorphic-fetch)

[nathanlodge]

CVE-2022-0235

Versions of the node-fetch package lower than 2.6.7 are potentially vulnerable to exposure of sensitive information to an unauthorized actor (see GHSA-r683-j2x4-v87g)

The node-fetch package is a peer dependency of the Avatax-REST-V2-JS-SDK package via the isomorphic-fetch package:

AvaTax-REST-V2-JS-SDK/package.json

Line 26 in 475c6a6

"isomorphic-fetch": "^2.2.1"

AvaTax-REST-V2-JS-SDK/yarn.lock

Lines 1656 to 1661 in 475c6a6

	isomorphic-fetch:
	version "2.2.1"
	resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
	dependencies:
	node-fetch "^1.0.1"
	whatwg-fetch ">=0.10.0"

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ node-fetch is vulnerable to Exposure of Sensitive            │
│               │ Information to an Unauthorized Actor                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.7                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ isomorphic-fetch                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ isomorphic-fetch > node-fetch                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1006899                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Overriding node-fetch to a safe version is not currently an option

Testing with node-fetch version 2.6.7, the following TypeError is encountered TypeError: Cannot read properties of undefined (reading 'content-type') handling responses here:

AvaTax-REST-V2-JS-SDK/lib/AvaTaxClient.js

Lines 88 to 89 in 475c6a6

	var contentType = res.headers._headers['content-type'];
	var contentLength = res.headers._headers['content-length'];

Would it be possible to prioritize a fix for this vulnerability?

[RodneyMorgan97]

I'm attempting to leverage the client.resolveAddressPost(address); function in NextJS (Typescript) and am also receiving TypeError: Cannot read properties of undefined (reading 'content-type') on response.

Prioritizing fix for this would be much appreciated!

[eboureau]

My PR #214 should address this issue

[nathanlodge]

Resolved by 7d87bb4

[chelevich]

Should it make the package version bumped to 22.3.1?

[chelevich]

Resolved in 22.5.0