Found 3 vulnerabilities

[caiusCitiriga]

By installing the package I get the vulnerabilities found warning message from NPM. These seems not to be fixable by a simple npm audit fix, which returns:

# npm audit report

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    binance-api-node  >=0.0.1
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/binance-api-node

3 vulnerabilities (2 low, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

I don't like the Idea of the --force flag, while the issue could be addressed by updating the packages on the main repo.

[balthazar]

Agree that it's an issue, but would only be concerning if the lib was targeting untrusted sources which would use this redirect vuln. We could switch to got eventually, but I'd prefer to keep some client support too so rely on global fetch or a polyfill? tbd

[caiusCitiriga]

I agree that it's not a dangerous issue for how it is being used. Just wanted to pin it up, so in the future might be addressed 😊

Btw, great job with this library 🚀

[evaleiraspollux]

When do you plan to fix these vulnerabilities?

[balthazar]

@evaleiraspollux Care to make a PR if you're concerned?