writeup-frontend icon indicating copy to clipboard operation
writeup-frontend copied to clipboard

Published 20 hours ago verified publisher icon jeffshek

[Security] Bump axios from 0.19.0 to 0.21.1

Open dependabot-preview[bot] opened this issue 3 years ago • 0 comments

Bumps axios from 0.19.0 to 0.21.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Server-Side Request Forgery in Axios Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Affected versions: < 0.21.1

Release notes

Sourced from axios's releases.

v0.21.1

0.21.1 (December 21, 2020)

Fixes and Functionality:

  • Hotfix: Prevent SSRF (#3410)
  • Protocol not parsed when setting proxy config from env vars (#3070)
  • Updating axios in types to be lower case (#2797)
  • Adding a type guard for AxiosError (#2949)

Internal and Tests:

  • Remove the skipping of the socket http test (#3364)
  • Use different socket for Win32 test (#3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

v0.21.0

0.21.0 (October 23, 2020)

Fixes and Functionality:

  • Fixing requestHeaders.Authorization (#3287)
  • Fixing node types (#3237)
  • Fixing axios.delete ignores config.data (#3282)
  • Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#1773)" (#3289)
  • Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#3200)

Internal and Tests:

  • Lock travis to not use node v15 (#3361)

Documentation:

  • Fixing simple typo, existant -> existent (#3252)
  • Fixing typos (#3309)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

Changelog

Sourced from axios's changelog.

0.21.1 (December 21, 2020)

Fixes and Functionality:

  • Hotfix: Prevent SSRF (#3410)
  • Protocol not parsed when setting proxy config from env vars (#3070)
  • Updating axios in types to be lower case (#2797)
  • Adding a type guard for AxiosError (#2949)

Internal and Tests:

  • Remove the skipping of the socket http test (#3364)
  • Use different socket for Win32 test (#3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

0.21.0 (October 23, 2020)

Fixes and Functionality:

  • Fixing requestHeaders.Authorization (#3287)
  • Fixing node types (#3237)
  • Fixing axios.delete ignores config.data (#3282)
  • Revert "Fixing overwrite Blob/File type as Content-Type in browser. (#1773)" (#3289)
  • Fixing an issue that type 'null' and 'undefined' is not assignable to validateStatus when typescript strict option is enabled (#3200)

Internal and Tests:

  • Lock travis to not use node v15 (#3361)

Documentation:

  • Fixing simple typo, existant -> existent (#3252)
  • Fixing typos (#3309)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

dependabot-preview[bot] avatar Jan 04 '21 21:01 dependabot-preview[bot]