Security issues within `make-fetch-happen`

[Johannesklint]

Describe the bug

The dependency chain is quite large but basically cross-spawn has a known security issue in the version used in this project. I think that it'll be enough for you to bump make-fetch-happen to the latest version and you'll be good

Here is the chain all the way down to cross-spawn

unleash-client@6.6.0
  → make-fetch-happen@13.0.1
    → cacache@18.0.4
      → glob@10.4.5
        → foreground-child@3.3.0
          → cross-spawn@7.0.3

[gastonfournier]

Hi @Johannesklint can you link the issue you're referring to? This has not been identified as an issue in our dependency scan by Dependabot.

We've also been considering migrating to https://github.com/sindresorhus/ky, which uses the native fetch implementation, and I wanted to use this opportunity to ask what you think about that possibility.

[Johannesklint]

That's strange. If I look through the dependency chain manually, I can see the security vulnerability – strange that Dependabot doesn't detect it in this project (it does on mine).

Well, I don't have a deep know knowledge how you are using make-fetch-happen fetch mechanism. But my two cents are that ky is the more modern choice for requests, while make-fetch-happen is the heavy-duty tool built specifically for npm's infrastructure. ky is simpler. make-fetch-happen prioritizes caching and other things.

Another good thing about ky is that it has no dependencies – so security wise it would be better.

I guess that didn't help much… 🫠

[gastonfournier]

Thanks @Johannesklint, any feedback and input is better than none! Thanks!!

We've done this migration in Unleash around 5 months ago, and we've been very happy with it: Unleash/unleash#10134, but we didn't find time to do it in this SDK. I'm looking at solving this security vulnerability to patch the current version and maybe release a new minor with ky as a follow up

[Johannesklint]

@gastonfournier I actually found this PR from Renovatebot to bump make-fetch-happen
#754

[gastonfournier]

HI @Johannesklint yes, we saw it, but that requires dropping Node 16 support and migrating other libraries due to inconsistencies. We're going to be doing some upgrades to this SDK to modernize it, which will unlock those changes (although most likely we'll drop make-fetch-happen)

[gastonfournier]

Hi @Johannesklint we did get rid of some vulnerabilities, in particular the glob one in the latest release. Could you please check if this resolves your problem?