Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency got to v11 [SECURITY] #81

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 23, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
got ^8.0.1 -> ^11.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-33987

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.


Release Notes

sindresorhus/got (got)

v11.8.5

Compare Source

v11.8.3

Compare Source

v11.8.2

Compare Source

  • Make the dnsCache option lazy (#​1529) 3bd245f
    This slightly improves Got startup performance and fixes an issue with Jest.

v11.8.1

Compare Source

v11.8.0

Compare Source

v11.7.0

Compare Source

Improvements
Fixes
  • Fix a regression where body was sent after redirect 88b32ea
  • Fix destructure error on promise.json() c97ce7c
  • Do not ignore userinfo on a redirect to the same origin 52de13b

v11.6.2

Compare Source

Bug fixes
  • Inherit the prefixUrl option from parent if it's undefined (#​1448) a3da70a
  • Prepare a fix for hanging promise on Node.js 14.10.x 29d4e32
  • Prepare for Node.js 15.0.0 c126ff1
Docs
Tests

v11.6.1

Compare Source

Fixes
Meta

v11.6.0

Compare Source

Improvements
  • Add retry stream event (#​1384) 7072198
  • Add types for http-cache-semantics options 2e2295f
  • Make CancelError inherit RequestError 1f132e8
  • Add retryAfter to RetryObject 643a305
  • Add documentation comments to exported TypeScript types (#​1278) eaf1e02
  • Move cache options into a cacheOptions property 9c16d90
Bug fixes
  • Got promise shouldn't retry when the body is a stream 6e1aeae
Docs
  • Add an example of nock integration with retrying f7bbc37
  • Fix CancelError docs 28c400f
  • Fix retry delay function in the README (#​1425) 38bbb04

v11.5.2

Compare Source

Docs
Bug fixes
  • Fix duplicated hooks when paginating e02845f
  • Fix dnsCache: true having no effect 043c950

v11.5.1

Compare Source

Enhancements
  • Upgrade http2-wrapper to 1.0.0-beta.5.0 16e7f03
  • Compatibility fix to ignore incorrect Node.js 12 typings f7a1379 61d6f61
Bug fixes
Docs

v11.5.0

Compare Source

Improvements
Fixes
  • Fix TypeScript types for Promise API (#​1344) 676be6d
  • Fix cache not working with HTTP2 ac5f67d
  • Fix response event not being emitted on cache verify request (#​1305) da4769e
  • Work around a bug in Node.js <=12.18.2 f33e8bc
  • Remove request error handler after response is downloaded e1afe82
  • Revert "Remove request error handler after response is downloaded" aeb2e07
Docs
  • Mention advanced usage of a beforeRequest hook 779062a
  • Mention to end the stream if there's no body 044767e

v11.4.0

Compare Source

  • Fix hanging promise on timeout on HTTP error 934211f
  • Use async iterators to get response body (#​1256) 7dcd145
  • Fix promise not returning Buffer on compressed response 5028c11
  • Clarify options.encoding docs 04f3ea4
  • Fix unhandled The server aborted pending request rejection 728aef9
  • Add missing ECONNRESET code to an abort error d325d35
  • Fix prefixUrl not working when the url argument is empty 8d3412a
  • Improve the searchParams option 4dbada9
  • Fix non-enumerable options [such as body] not being used 8f775c7

v11.3.0

Compare Source

v11.2.0

Compare Source

v11.1.4

Compare Source

v11.1.3

Compare Source

v11.1.2

Compare Source

Bug fixes
  • Disable options.dnsCache by default 79507c2

This should stay disabled when making requests to internal hostnames such as localhost, database.local etc.
CacheableLookup uses dns.resolver4(..) and dns.resolver6(...) under the hood and fall backs to dns.lookup(...) when the first two fail, which may lead to additional delay.

Enhancements

v11.1.1

Compare Source

  • Improve Node.js 14 compatibility 50ef99a
  • Fix got.mergeOptions() regression 157e02b
  • Fix hanging promise when using cache 7b19e8f
  • Make options.responseType optional when using a template 9ed0a39

v11.1.0

Compare Source

v11.0.3

Compare Source

Fixes
  • Limit number of requests in pagination to prevent accidental overflows (#​1181) 4344c3a
  • Fix promise rejecting before retry b927e2d
  • Fix options.searchParams duplicates 429db40
  • Prevent calling .abort() on a destroyed request 63c1b72
Docs
  • Fix incorrect usage in the readme examples (#​1203) 16ff82f
  • Note that cache and dnsCache can be false 7c5290d

v11.0.2

Compare Source

  • Fix response.statusMessage being null 965bd03
  • Update the http2-wrapper dependency to 1.0.0-beta.4.4 4e8de8e
  • Use Merge as it's stricter than the intersection operator d3b972e
  • Prevent silent rejections in rare cases 8501c69
  • Do not alter options.body 835c70b

v11.0.1

Compare Source

Fixed two regressions:

  • HTTPErrors have unspecified response body (#​1162)
  • Options are duplicated while merging (#​1163)

Improved TypeScript types for errors inherited from RequestError

v11.0.0

Compare Source

Introducing Got 11! 🎉 The last major version was in December last year. ❄️ Since then, a huge amount of bugs has been fixed. There are also many new features, for example, HTTP2 support is finally live! 🌐

If you find Got useful, you might want to sponsor the Got maintainers.


Breaking changes

Removed support for electron.net

Due to the inconsistencies between the Electron's net module and the Node.js http module, we have decided to officially drop support for it. Therefore, the useElectronNet option has been removed.

You'll still be able to use Got in the Electron main process and in the renderer process through the electron.remote module or if you use Node.js shims.

The Pagination API is now stable

We haven't seen any bugs yet, so please give it a try!
If you want to leave some feedback, you can do it here. Any suggestion is greatly appreciated!

 {
-    _pagination: {...}
+    pagination: {...}
 }
API
  • The options.encoding behavior has been reverted back to the Got 9 behavior.
    In other words, the options is only meant for the Got promise API.
    To set the encoding for streams, simply call stream.setEncoding(encoding).
-got.stream('https://sindresorhus.com', {encoding: 'base64'});
+got.stream('https://sindresorhus.com').setEncoding('base64');

// Promises stay untouched
await got('https://sindresorhus.com', {encoding: 'base64'});
  • The error name GotError has been renamed to RequestError for better readability and to comply with the documentation.
-const {GotError} = require('got');
+const {RequestError} = require('got');
  • The agent option now accepts only an object with http, https and http2 properties.
    While the http and https properties accept native http(s).Agent instances, the http2 property must be an instance of http2wrapper.Agent or be undefined.
{
-    agent: new https.Agent({keepAlive: true})
}

{
+    agent: {
+        http: new http.Agent({keepAlive: true}),
+        https: new https.Agent({keepAlive: true}),
+        http2: new http2wrapper.Agent()
+    }
}
  • The dnsCache option is now set to a default instance of CacheableLookup. It cannot be a Map-like instance anymore. The underlying cacheable-lookup package has received many improvements, for example, it has received hosts file support! Additionally, the cacheAdapter option has been renamed to cache. Note that it's no longer passed to Keyv, so you need to pass a Keyv instance it if you want to save the data for later.
{
-    dnsCache: new CacheableLookup({
-        cacheAdapter: new Map()
-    })
}

{
+    dnsCache: new CacheableLookup({
+        cache: new Keyv({
+            cacheAdapter: new Map()
+        })
+    })
}

// Default:

{
    dnsCache: new CacheableLookup()
}
  • Errors thrown in init hooks will be converted to instances of RequestError. RequestErrors provide much more useful information, for example, you can access the Got options (through error.options), which is very useful when debugging.
const got = require('got');

(async () => {
    try {
        await got('https://sindresorhus.com', {
            hooks: {
                init: [
                    options => {
                        if (!options.context) {
                            throw new Error('You need to pass a `context` option');
                        }
                    }
                ]
            }
        });
    } catch (error) {
        console.log(`Request failed: ${error.message}`);
        console.log('Here are the options:', error.options);
    }
})();
  • The options passed in an init hook may not have a url property. To modify the request URL you should use a beforeRequest hook instead.
{
    hooks: {
-        init: [
+        beforeRequest: [
            options => {
                options.url = 'https://sindresorhus.com';
            }
        ]
    }
}

Note that this example shows a simple use case. In more complicated algorithms, you need to split the init hook into another init hook and a beforeRequest hook.

  • The error.request property is no longer a ClientRequest instance. Instead, it gives a Got stream, which provides a set of useful properties.
const got = require('got');

(async () => {
    try {
        await got('https://sindresorhus.com/notfound');
    } catch (error) {
        console.log(`Request failed: ${error.message}`);
        console.log('Download progress:', error.request.downloadProgress);
    }
})();
Renamed TypeScript types

Some of the TypeScript types have been renamed to improve the readability:

Old type New type
ResponseObject Response
Defaults InstanceDefaults
DefaultOptions Defaults
DefaultRetryOptions RequiredRetryOptions
GotOptions Options
GotRequestMethod GotRequestFunction
Other
  • Now requires Node.js 10.19 or later.

Enhancements

HTTP2 support is here! Excited? Yay! Unfortunately, it's off by default to make the migration smoother. Many Got users have set up their own Agents and we didn't want to break them. But fear no more, it will come enabled by default in Got 12.

const got = require('got');

(async () => {
    const response = await got('https://nghttp2.org/httpbin/anything', {http2: true});
    console.log(response.socket.alpnProtocol);
    //=> 'h2'
})();
  1. The merge function is slow (#​1016)
  2. Use error.code instead of error.message to compare errors (#​981)
  3. Pass error thrown in the init hook to beforeError hook (#​929)
  4. Errors have undefined body when using streams (#​1138)
  5. Spaces should be normalized as + in query strings (#​1113)
  6. Modify response headers while using got.stream(...) (#​1129)
  7. Make error.request a Got stream (af0b147).

Known bugs

  1. When some errors occur, the timings may indicate that the request was successful although it failed.
  2. When some errors occur, the downloadProgress object may show incorrect data.

Bug fixes

  1. Requests to UNIX sockets are missing query strings (#​1036)
  2. beforeRequest hooks aren't called on redirects (#​994)
  3. Errors are swallowed when using stream.pipeline(got.stream(...), ...) (#​1026)
  4. Cannot use the cache along with the body option (#​1021)
  5. Got doesn't throw on leading slashes (#​1057)
  6. Got throws when passing already frozen options (#​1050)
  7. Cannot type Got options properly due to missing types (#​954)
  8. got.mergeOptions(...) doesn't merge URLSearchParams instances (#​1011)
  9. The authorization header is leaking (#​1090)
  10. Pagination should ignore the resolveBodyOnly option (#​1140)
  11. Cannot reuse user-provided options (#​1118)
  12. Broken with Node.js ≥ 13.10.0 (#​1107)
  13. Cache is not decompressed (#​1158)
  14. beforeRetry hooks are missing options.context (#​1141)
  15. promise.json() doesn't throw ParseError (#​1069)
  16. Not compatible with [email protected] (#​1131)
  17. Shortcuts give body from the failed request on token renewal (#​1120)
  18. No effect when replacing the cache option in a Got instance (#​1098)
  19. Memory leak when using cache (#​1128)
  20. Got doesn't throw on aborted requests by the server (#​1096)

All changes

v10.7.0

Compare Source

v10.6.0

Compare Source

v10.5.7

Compare Source

  • Fix Init hooks not being called if extended acefaa4

v10.5.6

Compare Source

v10.5.5

Compare Source

  • Fix merging pagination options 1f363b9

v10.5.4

Compare Source

  • Fix _pagination not falling back to defaults ff1dba1

v10.5.3

Compare Source

  • Fix unhandled errors if throwing in an async handler 518d95a

v10.5.2

Compare Source

  • Forgot to include required p-event dependency 8373112

v10.5.1

Compare Source

v10.5.0

Compare Source

v10.4.0

Compare Source

  • Update @szmarczak/cacheable-lookup dependency d527dae
  • Include invalid JSON body in ParseErrors (#​1044) 2813b73
  • Fix got.stream(...) not throwing ReadErrors 1f6ca6b

v10.3.0

Compare Source

v10.2.2

Compare Source

  • Do not include a request option in normalized http options 61009b3

v10.2.1

Compare Source

  • Ensure got.mergeOptions(...) can be assigned to defaults (#​1008) 1360a1b
  • The url option is mutually exclusive with the url input argument e0f8aab
  • Update RetryObject['error'] TypeScript types 5008bf7
  • Upgrade @szmarczak/http-timer dependency a1b8ffc

v10.2.0

Compare Source

v10.1.0

Compare Source

Enhancements
Fixes
  • Fix content-length header not being set when using custom content-type 3149340
  • Emit timeout errors as soon as possible 912c2e5 7bf92f4

v10.0.4

Compare Source

v10.0.3

Compare Source

  • Fix the responseType option (071bf5e)
  • Fix unhandled Premature close and Request timed out errors (7b2ccb0)
  • Make options.path backwards-compatible (b3f1ac9)

v10.0.2

Compare Source

  • Fix TypeScript type problem with URL and URLSearchParams globals (#​969) 2d5e28d
  • Fix got.mergeOptions(...) TypeScript type (#​953) b962d08
  • Fix unhandled timeout errors when connection drops 5a8f461

v10.0.1

Compare Source

  • Fix using the json option with got.stream.post 2ec5c4d

v10.0.0

Compare Source

We're excited to announce Got 10! 🎉 This release has been in the works for almost a year and has been a major undertaking. Got was fully rewritten in TypeScript, which helped us catch many bugs and will give us more confidence in the codebase going forward. Got is now faster and much more stable. We also fixed a huge amount of bugs. Big thanks to everyone that helped make this release possible. 🙌


If you find Got useful, you might want to sponsor the Got maintainers.

Note: Some HTTP agents like https-proxy-agent and agentkeepalive are not compatible with Node.js 10 and hence not compatible with Got as Got takes advantage of some Node.js 10-only APIs.

Breaking
  • Require Node.js 10 633651f
    • Why: This is so that we can use stream.pipeline for more reliable stream handling. Node.js 8 will be out of LTS at the end of this month anyway.
  • Remove support for protocol-less URLs in the url argument 92bc808
    • Why: To reduce ambiguity. It was not clear from just reading the code what it would default to.
    • Migrate:
- got('sindresorhus.com');
+ got('https://sindresorhus.com');
  • Rename the query option to searchParams and make it stricter b223663 5376216 518f0f5
    • Why: To get closer to the window.fetch naming in the browser.
    • Migrate:
- got(…, {query: …});
+ got(…, {searchParams: …});
  • Replace the baseUrl option with prefixUrl (#​829) 0d534ed
    • Note: We also made it stricter to reduce ambiguity. The Got url argument now cannot be prefixed with a slash when this option is used.
    • Why: We renamed it to make it clear that it doesn't do any URL resolution.
    • Migrate:
- got('/foo', {baseUrl: 'https://x.com'});
+ got('foo', {prefixUrl: 'https://x.com'});
  • Change the json option to accept an object instead of a boolean and to only be responsible for the request, not the response (#​704) a6a7d5a
    • Note: You now set the request body in this option instead of the body option when you want to send JSON. This option also no longer sets the response type to JSON. You either call the .json() method or specify the responseType option for that.
    • Why: Many people were confused how {json: true} worked and they also complained that they could not set the request/response type individually.
    • Migrate:
- got(url, {body: {x: true}, json: true});
+ got.post(url, {json: {x: true}}).json();
  • Use the responseType option instead of encoding to get a Buffer (#​940) 6cc3d9f
    • Why: Previously, you would pass {encoding: null} to get a Buffer, but this was confusing. You now use {responseType: 'buffer'} instead.
    • Tip: You can also use got(…).buffer();.
    • Migrate:
- got(…, {encoding: null});
+ got(…, {responseType: 'buffer'});
  • Don't infer POST automatically when specifying body (#​756) e367bdb
    • Why: We're trying to reduce the amount of magic behavior.
    • Migrate:
- got(…, {body: 'foo'});
+ got.post(…, {body: 'foo'});
  • The retries.retry option was split into retries.limit and retries.calculateDelay b15ce1d
    • Migrate:
 got(…, {
 	retry: {
-		retries: 2
+		limit: 2
 	}
 });
 got(…, {
 	retry: {
-		retries: iteration => iteration < 2
+		calculateDelay: ({attemptCount}) => attemptCount < 2
 	}
 });
 got(…, {
 	headers: {
-		'user-agent': null
+		'user-agent': undefined
 	}
 });
  • Rename the Promise API property .fromCache to .isFromCache (#​768) b5e443b
  • Rename the stream option to isStream 518f0f5
    • Why: To make it clearer that it's a boolean and that it doesn't expect a stream to be passed in.
    • Migrate:
- got(…, {stream: true});
+ got(…, {isStream: true});
  • Don't include the Got version in the default user-agent header (#​911) 95bed1e
    • got/9.6.0 (https://github.com/sindresorhus/got)got (https://github.com/sindresorhus/got)
    • Why: Importing package.json to get the version caused a lot of problems. And you should ideally set your own user-agent header anyway.
  • Remove got.create() 518f0f5
    • You can achieve the same thing with got.extend() now.
  • Remove got.mergeInstances() 518f0f5
    • Use gotInstance.extend(...gotInstances) instead.
  • Move top-level error properties into an .options and .response property (#​773) 6eaa81b
    • Migrate:
- error.gotOptions
+ error.options

- error.headers
+ error.response.headers

- error.statusCode
+ error.response.statusCode

- error.statusMessage
+ error.response.statusMessage

- error.body
+ error.response.body

- error.redirectUrls
+ error.response.redirectUrls

- error.host
+ error.options.host

- error.hostname
+ error.options.hostname

- error.method
+ error.options.method

- error.protocol
+ error.options.protocol

- error.url
+ error.options.url

- error.path
+ error.options.path
  • Custom instance creation was simplified (#​707) 8eaef94
    • Note: got.mergeInstances(...instances) is deprecated. Use instanceA.extend(instanceB) instead.
    • Migrate:
### Merging instances
- got.mergeInstances(instanceA, instanceB, instanceC, …);
+ instanceA.extend(instanceB, instanceC, …);

### Merging options
- instanceA.extend(optionsB).extend(optionsC).extend(…);
+ instanceA.extend(optionsB, optionsC, …);

### Merging instances and options
- got.mergeInstances(instanceA.extend(optionsB), instanceC);
+ instanceA.extend(optionsB, instanceC, …);

### Extending handlers
- got.mergeInstances(instanceA, got.create({handler: handlerB}));
+ instanceA.extend({handlers: [handlerB]});
Enhancements

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@atlassian-cla-bot
Copy link

Thank you for your submission! Like many open source projects, we ask that you sign our CLA (Contributor License Agreement) before we can accept your contribution.
If your email is listed below, please ensure that you sign the CLA with the same email address.

The following users still need to sign our CLA:
❌renovate[bot]

Already signed the CLA? To re-check, try refreshing the page.

@renovate renovate bot force-pushed the renovate/npm-got-vulnerability branch from 9151db6 to 6f56c07 Compare September 25, 2022 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants