react-ssr-advanced-seed
react-ssr-advanced-seed copied to clipboard
vip-git
chore(deps): update dependency node-fetch [security]
This PR contains the following updates:
| Package | Type | Update | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|---|---|
| node-fetch | 2.6.1 -> 2.6.7 |
||||||
| node-fetch | dependencies | patch | 2.6.1 -> 2.6.7 |
||||
| node-fetch | 1.7.3 -> 2.6.1 |
GitHub Vulnerability Alerts
CVE-2022-0235
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-15168
Impact
Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Patches
We released patched versions for both stable and beta channels:
- For
v2: 2.6.1 - For
v3: 3.0.0-beta.9
Workarounds
None, it is strongly recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory:
- Open an issue in node-fetch
- Contact one of the core maintainers.
Release Notes
node-fetch/node-fetch
v2.6.7
Security patch release
Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred
What's Changed
- fix: don't forward secure headers to 3th party by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1453
Full Changelog: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7
v2.6.6
What's Changed
- fix(URL): prefer built in URL version when available and fallback to whatwg by @jimmywarting in https://github.com/node-fetch/node-fetch/pull/1352
Full Changelog: https://github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
fixed main path in package.json
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: package-lock.json
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
![guardrails[bot] avatar](https://avatars.githubusercontent.com/in/5512?v=4 "Published by a pub.dev verified publisher"){kind=small}