🚨 [security] Update node-fetch: 3.2.4 → 3.2.10 (patch)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ node-fetch (3.2.4 → 3.2.10) · Repo · Changelog

Security Advisories 🚨

🚨 node-fetch Inefficient Regular Expression Complexity

node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

Release Notes

3.2.10

3.2.10 (2022-07-31)

Bug Fixes

• ReDoS referrer (#1611) (2880238)

3.2.9

3.2.9 (2022-07-18)

Bug Fixes

• Headers: don't forward secure headers on protocol change (#1599) (e87b093)

3.2.8

3.2.8 (2022-07-12)

Bug Fixes

• possibly flaky test (#1523) (11b7033)

3.2.7

3.2.7 (2022-07-11)

Bug Fixes

• always warn Request.data (#1550) (4f43c9e)

3.2.6

3.2.6 (2022-06-09)

Bug Fixes

• undefined reference to response.body when aborted (#1578) (1c5ed6b)

3.2.5

3.2.5 (2022-06-01)

Bug Fixes

• use space in accept-encoding values (#1572) (a92b5d5), closes #1571

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• fix: ReDoS referrer (#1611)
• fix(Headers): don't forward secure headers on protocol change (#1599)
• chore: remove triple-slash directives from typings (#1285) (#1287)
• fix spelling (#1602)
• fix: possibly flaky test (#1523)
• fix: always warn Request.data (#1550)
• fix: undefined reference to response.body when aborted (#1578)
• fix: use space in accept-encoding values (#1572)
• docs: fix formdata code example (#1562)
• docs(readme): response.clone() is not async (#1560)
• Fix leaking listeners (#1295) (#1474)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
website	❌ Failed (Inspect)		Aug 4, 2022 at 8:21PM (UTC)