Bump node-fetch from 2.6.1 to 2.6.7 to resolve a security vulnerability #3082
Description
Overview
As a developer, I would like website team repo to be free of security vulnerabilities. For this issue, we will address the security vulnerability alert related to node-fetch.
Details
This issue addresses a security issue in node-fetch version < 2.6.7 that was automatically prompted by GitHub's dependabot.
Note: Node-fetch is vulnerable to exposure of sensitive information to an unauthorized actor.
Action Items
- Enable alerts and updates in your own fork of the Hack for LA website so that they match those in the Hack for LA repository. These settings can be found in the settings tab in your own repo under code security and analysis and is referenced in image 1 below.
- After enabling the above, you should see an autogenerated PR in your own repository which references the node-fetch vulnerability, images 2 and 3 below.
- Review package-lock.json file where changes need to be made.
- Double-check if this update has caused issues and/or unintended changes in repositories that were updated.
- Include the results of your check as a comment in this issue.
- Address this PR in your own repository in order to test if the update causes any issues for the Hack for LA website.
- Pending successful research and testing of the update, create a PR to merge the changes in node-fetch to gh-pages (main).
Resources/Instructions
A page about dependabot and enabling alerts/updates
Package-lock.json file
Image 1
Image 2
Image 3
Is there a dependency?
No
If Yes, please explain
N/A