Patch for node-fetch version 2.x.x CVE-2022-2596

[fluxquantum]

Hello, per your upgrade guide that states "This module was converted to be a ESM only package in version 3.0.0-beta.10. node-fetch is an ESM-only module - you are not able to import it with require. We recommend you stay on v2 which is built with CommonJS unless you use ESM yourself. We will continue to publish critical bug fixes for it."

In order to stay on version 2, it would require CVE-2022-2596 to be addressed. I have tried to use a more recent version but it introduces breaking changes to the current code base, which I have reported as a bug currently in another issue I created (#1620).

May I request that a patch release be made to address vulnerabilities reported for version 2.x(2.6.7 in my case). Or alternatively additional guidance on how I can upgrade to the next generation version?

I am running a nodejs express server, but after adding the async import, my endpoints have stopped working.

i.e.

server.use('/sso', (req, res) => {
getTokenAndUser(querystring1, querystring2)
// elided
}.then(tokenUserObject => {
}

Thank you for your time.