[Snyk] Security upgrade node-fetch from 3.1.0 to 3.1.1 #2

Merged

snyk-bot merged 1 commit from snyk-fix-4a6593f393e4b8a702683dcbc821ba29 into master 2022-01-19 06:29:13 +01:00

Conversation 0 Commits 1 Files changed 2 +12 -12

snyk-bot commented 2022-01-19 06:28:19 +01:00 (Migrated from github.com)

Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	611/1000 Why? Recently disclosed, Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: node-fetch

The new version differs by 16 commits.

• 36e47e8 3.1.1 release (#1451)
• 5304f3f Don't change relative location header on manual redirect (#1105)
• f5d3cf5 fix(Headers): don't forward secure headers to 3th party (#1449)
• f2c3d56 Create SECURITY.md (#1445)
• 4ae3538 core: Warn when using data (#1421)
• 41f53b9 fix: use more node: protocol imports (#1428)
• f674875 ci: fix main branch (#1429)
• 1493d04 core: Don't use global buffer (#1422)
• eb33090 Chore: Fix logical operator priority (regression) to disallow GET/HEAD with non-empty body (#1369)
• 7ba5bc9 update readme for TS @ type/node-fetch (#1405)
• 6956bf8 core: Don't use buffer to make a blob (#1402)
• 6e4c1e4 fix(Redirect): Better handle wrong redirect header in a response (#1387)
• 2d5399e fix: handle errors from the request body stream (#1392)
• 0284826 fix(http.request): Cast URL to string before sending it to NodeJS core (#1378)
• 3f0e0c2 docs: Fix typo around sending a file (#1381)
• 30c3cfe update fetch-blob (#1371)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

<h3>Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.</h3>  #### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **611/1000** <br/> **Why?** Recently disclosed, Has a fix available, CVSS 6.5 | Information Exposure <br/>[SNYK-JS-NODEFETCH-2342118](https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118) | No | No Known Exploit (*) Note that the real score may have changed since the PR was raised. <details> <summary><b>Commit messages</b></summary> </br> <details> <summary>Package name: <b>node-fetch</b></summary> The new version differs by 16 commits.</br> <ul> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10">36e47e8</a> 3.1.1 release (#1451)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/5304f3f7f7778f1011b622bedcb0e4d3c04dba31">5304f3f</a> Don&#x27;t change relative location header on manual redirect (#1105)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80">f5d3cf5</a> fix(Headers): don&#x27;t forward secure headers to 3th party (#1449)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/f2c3d563755d4d357df987fe871607e296463cef">f2c3d56</a> Create SECURITY.md (#1445)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/4ae35388b078bddda238277142bf091898ce6fda">4ae3538</a> core: Warn when using data (#1421)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/41f53b9065a00bc73d24215d42aacdcd284b199c">41f53b9</a> fix: use more node: protocol imports (#1428)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/f674875f98c4ef2970a9acf02324f520b1b77967">f674875</a> ci: fix main branch (#1429)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/1493d046bc0944886277b0b82dfdf78a7b9f7799">1493d04</a> core: Don&#x27;t use global buffer (#1422)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/eb33090b81442bc6af9f714a5158160856a1e2f2">eb33090</a> Chore: Fix logical operator priority (regression) to disallow GET/HEAD with non-empty body (#1369)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/7ba5bc9e0aff386ae0e00792d1ea2e2f7a4fd7d6">7ba5bc9</a> update readme for TS @ type/node-fetch (#1405)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/6956bf868b6dbd806eeccec96f3fa6bf72a65124">6956bf8</a> core: Don&#x27;t use buffer to make a blob (#1402)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/6e4c1e4f67b7b6b8de13bbbf88991894dc003245">6e4c1e4</a> fix(Redirect): Better handle wrong redirect header in a response (#1387)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/2d5399ed5605fb1b2e887f6e7953bc02e6194d52">2d5399e</a> fix: handle errors from the request body stream (#1392)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/0284826de6e733c717447c6dfcddc5f0b538b254">0284826</a> fix(http.request): Cast URL to string before sending it to NodeJS core (#1378)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/3f0e0c2949fa47aa3d54629c6936f01d7be6656a">3f0e0c2</a> docs: Fix typo around sending a file (#1381)</li> <li><a href="https://snyk.io/redirect/github/node-fetch/node-fetch/commit/30c3cfe1d2872ada5159a8d7dd34946bd757ff26">30c3cfe</a> update fetch-blob (#1371)</li> </ul> <a href="https://snyk.io/redirect/github/node-fetch/node-fetch/compare/109bd21313c277f043089f8c38b1a716c39ff86f...36e47e8a6406185921e4985dcbeff140d73eaa10">See the full diff</a> </details> </details> Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiIxODkwODc3MS0wZTZlLTRlMzktYjJiZS1lMmQ3ZWQ2ZDAxMTkiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjE4OTA4NzcxLTBlNmUtNGUzOS1iMmJlLWUyZDdlZDZkMDExOSJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/vityaschel/project/58b8acd7-1672-456d-93d3-55a660809c3a?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/vityaschel/project/58b8acd7-1672-456d-93d3-55a660809c3a?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"18908771-0e6e-4e39-b2be-e2d7ed6d0119","prPublicId":"18908771-0e6e-4e39-b2be-e2d7ed6d0119","dependencies":[{"name":"node-fetch","from":"3.1.0","to":"3.1.1"}],"packageManager":"npm","projectPublicId":"58b8acd7-1672-456d-93d3-55a660809c3a","projectUrl":"https://app.snyk.io/org/vityaschel/project/58b8acd7-1672-456d-93d3-55a660809c3a?utm_source=github&utm_medium=referral&page=fix-pr","type":"user-initiated","patch":[],"vulns":["SNYK-JS-NODEFETCH-2342118"],"upgrade":["SNYK-JS-NODEFETCH-2342118"],"isBreakingChange":false,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","priorityScore","merge-advice-badge-shown"],"priorityScoreList":[611]})

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: hloth/asurso#2

No description provided.