node-fetch dependency is outdated

[aquapi]

Run next info (available from version 12.0.8 and up)

# npm audit report

node-fetch  <3.1.1
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install next@10.0.1, which is a breaking change

This is what I receive from NPM after installing Next.js and run npm audit

What version of Next.js are you using?

12.0.8

What version of Node.js are you using?

17.4.0

What browser are you using?

Edge

What operating system are you using?

Windows

How are you deploying your application?

Other platform

Describe the Bug

2 high severity vulnerabilities

Expected Behavior

No severity vulnerability

To Reproduce

npm install next

[Mitsunee]

Another vulnerability could possibly happen for nanoid (dependency of postcss, which is stuck at 8.2.15 even if I try to add it as a direct dependency of my project)

[aldabil21]

Probably soon in stable. Merged in canary #33466

[Seijinx]

Probably soon in stable. Merged in canary #33466

They updated from 2.6.1 to 2.6.7 which is still considered a vulnerability at this point.

[NigelGreenway]

Here is the advisory with more information.

GHSA-r683-j2x4-v87g

[balazsorban44]

#33556 (comment) is the correct answer. 2.6.7 included the same patch. See https://github.com/node-fetch/node-fetch/releases/tag/v2.6.7

[github-actions]

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.