New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency node-fetch to v3 [security] #865

Open

renovate wants to merge 1 commit into master from renovate/npm-node-fetch-vulnerability

Contributor

renovate bot commented Aug 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
node-fetch	`2.6.7` -> `3.2.10`

GitHub Vulnerability Alerts

CVE-2022-0235

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

CVE-2022-2596

node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

Release Notes

node-fetch/node-fetch (node-fetch)

`v3.2.10`

Bug Fixes

ReDoS referrer (#1611) (2880238)

`v3.2.9`

Bug Fixes

Headers: don't forward secure headers on protocol change (#1599) (e87b093)

`v3.2.8`

Bug Fixes

possibly flaky test (#1523) (11b7033)

`v3.2.7`

Bug Fixes

always warn Request.data (#1550) (4f43c9e)

`v3.2.6`

Bug Fixes

undefined reference to response.body when aborted (#1578) (1c5ed6b)

`v3.2.5`

Bug Fixes

use space in accept-encoding values (#1572) (a92b5d5), closes #1571

`v3.2.4`

Bug Fixes

don't uppercase unknown methods (#1542) (004b3ac)

`v3.2.3`

Bug Fixes

handle bom in text and json (#1482) (6425e20)

`v3.2.2`

Bug Fixes

add missing formdata export to types (#1518) (a4ea5f9), closes #1517

`v3.2.1`

Bug Fixes

cancel request example import (#1513) (61b3b5a)

`v3.2.0`

Features

export Blob, File and FormData + utilities (#1463) (81b1378)

`v3.1.1`

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

core: update fetch-blob by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1371
docs: Fix typo around sending a file by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1381
core: (http.request): Cast URL to string before sending it to NodeJS core by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1378
core: handle errors from the request body stream by @mdmitry01 in https://github.com/node-fetch/node-fetch/pull/1392
core: Better handle wrong redirect header in a response by @tasinet in https://github.com/node-fetch/node-fetch/pull/1387
core: Don't use buffer to make a blob by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1402
docs: update readme for TS @types/node-fetch by @adamellsworth in https://github.com/node-fetch/node-fetch/pull/1405
core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @maxshirshin in https://github.com/node-fetch/node-fetch/pull/1369
core: Don't use global buffer by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1422
ci: fix main branch by @dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1429
core: use more node: protocol imports by @dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1428
core: Warn when using data by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1421
docs: Create SECURITY.md by @JamieSlome in https://github.com/node-fetch/node-fetch/pull/1445
core: don't forward secure headers to 3th party by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1449

New Contributors

@mdmitry01 made their first contribution in https://github.com/node-fetch/node-fetch/pull/1392
@tasinet made their first contribution in https://github.com/node-fetch/node-fetch/pull/1387
@adamellsworth made their first contribution in https://github.com/node-fetch/node-fetch/pull/1405
@maxshirshin made their first contribution in https://github.com/node-fetch/node-fetch/pull/1369
@JamieSlome made their first contribution in https://github.com/node-fetch/node-fetch/pull/1445

Full Changelog: node-fetch/node-fetch@v3.1.0...v3.1.1

`v3.1.0`

What's Changed

fix(Body): Discourage form-data and buffer() by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1212
fix: Pass url string to http.request by @serverwentdown in https://github.com/node-fetch/node-fetch/pull/1268
Fix octocat image link by @lakuapik in https://github.com/node-fetch/node-fetch/pull/1281
fix(Body.body): Normalize Body.body into a node:stream by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/924
docs(Headers): Add default Host request header to README.md file by @robertoaceves in https://github.com/node-fetch/node-fetch/pull/1316
Update CHANGELOG.md by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1292
Add highWaterMark to cloned properties by @davesidious in https://github.com/node-fetch/node-fetch/pull/1162
Update README.md to fix HTTPResponseError by @thedanfernandez in https://github.com/node-fetch/node-fetch/pull/1135
docs: switch url to URL by @dhritzkiv in https://github.com/node-fetch/node-fetch/pull/1318
fix(types): declare buffer() deprecated by @dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1345
chore: fix lint by @dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1348
refactor: use node: prefix for imports by @dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1346
Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @dependabot in https://github.com/node-fetch/node-fetch/pull/1319
Bump mocha from 8.4.0 to 9.1.3 by @dependabot in https://github.com/node-fetch/node-fetch/pull/1339
Referrer and Referrer Policy by @tekwiz in https://github.com/node-fetch/node-fetch/pull/1057
Add typing for Response.redirect(url, status) by @c-w in https://github.com/node-fetch/node-fetch/pull/1169
chore: Correct stuff in README.md by @Jiralite in https://github.com/node-fetch/node-fetch/pull/1361
docs: Improve clarity of "Loading and configuring" by @serverwentdown in https://github.com/node-fetch/node-fetch/pull/1323
feat(Body): Added support for BodyMixin.formData() and constructing bodies with FormData by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1314
template: Make PR template more task oriented by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1224
docs: Update code examples by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1365

New Contributors

@serverwentdown made their first contribution in https://github.com/node-fetch/node-fetch/pull/1268
@lakuapik made their first contribution in https://github.com/node-fetch/node-fetch/pull/1281
@robertoaceves made their first contribution in https://github.com/node-fetch/node-fetch/pull/1316
@davesidious made their first contribution in https://github.com/node-fetch/node-fetch/pull/1162
@thedanfernandez made their first contribution in https://github.com/node-fetch/node-fetch/pull/1135
@dhritzkiv made their first contribution in https://github.com/node-fetch/node-fetch/pull/1318
@dnalborczyk made their first contribution in https://github.com/node-fetch/node-fetch/pull/1345
@dependabot made their first contribution in https://github.com/node-fetch/node-fetch/pull/1319
@c-w made their first contribution in https://github.com/node-fetch/node-fetch/pull/1169

Full Changelog: node-fetch/node-fetch@v3.0.0...v3.1.0

`v3.0.0`

version 3 is going out of a long beta period and switches to stable

One major change is that it's now a ESM only package
See changelog for more information about all the changes.

`v2.7.0`

Features

AbortError (#1744) (9b9d458)

`v2.6.13`

Bug Fixes

Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736

`v2.6.12`

Bug Fixes

socket variable testing for undefined (#1726) (8bc3a7c)

`v2.6.11`

Reverts

Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741

`v2.6.10`

Bug Fixes

handle bom in text and json (#1739) (29909d7)

`v2.6.9`

Bug Fixes

"global is not defined" (#1704) (70f592d)

`v2.6.8`

Bug Fixes

headers: don't forward secure headers on protocol change (#1605) (fddad0e), closes #1599
premature close with chunked transfer encoding and for async iterators in Node 12 (#1172) (50536d1), closes #1064 /github.com/node-fetch/node-fetch/pull/1064#issuecomment-849167400
prevent hoisting of the undefined global variable in browser.js (#1534) (8bb6e31)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency node-fetch to v3 [security]

a1ed0e1

Contributor Author

renovate bot commented Aug 6, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21609
    throw new Error(
          ^

Error: Error when performing the request to https://registry.npmjs.org/yarn/latest; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
    at fetch (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21609:11)
    at async fetchAsJson (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21623:20)
    ... 4 lines matching cause stack trace ...
    at async Object.runMain (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:23096:5) {
  [cause]: TypeError: globalThis.fetch is not a function
      at fetch (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21603:33)
      at async fetchAsJson (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21623:20)
      at async fetchLatestStableVersion (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21550:20)
      at async fetchLatestStableVersion2 (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:21672:14)
      at async Engine.getDefaultVersion (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:22292:23)
      at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:22390:47)
      at async Object.runMain (/opt/containerbase/tools/corepack/0.29.3/16.14.2/node_modules/corepack/dist/lib/corepack.cjs:23096:5)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet