dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump @cypress/request from 2.88.11 to 2.88.12 #1374

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-cypress-request-2.88.12 into master 2023-08-02 06:58:04 +00:00
Conversation 1 Commits 1 Files Changed 1
+33 -5
argoyle commented 2023-08-02 04:43:29 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps @cypress/request from 2.88.11 to 2.88.12. This update includes a security fix.

Vulnerabilities fixed

Server-Side Request Forgery in Request The request package through 2.88.2 for Node.js and the @cypress/request package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Patched versions: none Affected versions: <= 2.88.11

Release notes

Sourced from @​cypress/request's releases.

v2.88.12

2.88.12 (2023-08-01)

Bug Fixes

  • request: update tough-cookie dep (0664780)
Commits
  • 0664780 fix(request): update tough-cookie dep
  • 30def80 Merge pull request #39 from cypress-io/jordanpowell88/update-pkg-version
  • 6b79405 update package version
  • bfbb95f Merge pull request #32 from BreakBB/fix-cve-2023-26136
  • a67e132 pin 18.16
  • 825485a revert back to yarn but v 18
  • 3bce354 update workflow to use npm
  • 4ceb20b Merge branch 'master' into fix-cve-2023-26136
  • 228831e Merge pull request #38 from cypress-io/benm/github-workflows-update
  • f6ee03f chore: add in workflows for github. update workflow actions
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [@cypress/request](https://github.com/cypress-io/request) from 2.88.11 to 2.88.12. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Server-Side Request Forgery in Request</strong> The <code>request</code> package through 2.88.2 for Node.js and the <code>@cypress/request</code> package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).</p> <p>NOTE: The <code>request</code> package is no longer supported by the maintainer.</p> <p>Patched versions: none Affected versions: &lt;= 2.88.11</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cypress-io/request/releases"><code>@​cypress/request</code>'s releases</a>.</em></p> <blockquote> <h2>v2.88.12</h2> <h2><a href="https://github.com/cypress-io/request/compare/v2.88.11...v2.88.12">2.88.12</a> (2023-08-01)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>request:</strong> update tough-cookie dep (<a href="https://github.com/cypress-io/request/commit/0664780557c95610eafeedff6067bacac6783705">0664780</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cypress-io/request/commit/0664780557c95610eafeedff6067bacac6783705"><code>0664780</code></a> fix(request): update tough-cookie dep</li> <li><a href="https://github.com/cypress-io/request/commit/30def80c9d957ed2a782af634602f26eb41843ee"><code>30def80</code></a> Merge pull request <a href="https://github.com/cypress-io/request/issues/39">#39</a> from cypress-io/jordanpowell88/update-pkg-version</li> <li><a href="https://github.com/cypress-io/request/commit/6b79405e704e882df06b68961ab2835c56d7cbcf"><code>6b79405</code></a> update package version</li> <li><a href="https://github.com/cypress-io/request/commit/bfbb95fa1b376977fff49317fe56fb340ee15657"><code>bfbb95f</code></a> Merge pull request <a href="https://github.com/cypress-io/request/issues/32">#32</a> from BreakBB/fix-cve-2023-26136</li> <li><a href="https://github.com/cypress-io/request/commit/a67e1320ea1fbe74ebe936ad9ebeba3b60258774"><code>a67e132</code></a> pin 18.16</li> <li><a href="https://github.com/cypress-io/request/commit/825485a0913e3823f147ae0411a48248cbdfc73f"><code>825485a</code></a> revert back to yarn but v 18</li> <li><a href="https://github.com/cypress-io/request/commit/3bce3544559d7dbf572ae09ae51092a88c6d2dc1"><code>3bce354</code></a> update workflow to use npm</li> <li><a href="https://github.com/cypress-io/request/commit/4ceb20bc0ec023790a821c494fe77ae094bf7f03"><code>4ceb20b</code></a> Merge branch 'master' into fix-cve-2023-26136</li> <li><a href="https://github.com/cypress-io/request/commit/228831e4fef2298bc69127e2c73772125465be84"><code>228831e</code></a> Merge pull request <a href="https://github.com/cypress-io/request/issues/38">#38</a> from cypress-io/benm/github-workflows-update</li> <li><a href="https://github.com/cypress-io/request/commit/f6ee03f77f8af517d23925026835a9cd46686337"><code>f6ee03f</code></a> chore: add in workflows for github. update workflow actions</li> <li>Additional commits viewable in <a href="https://github.com/cypress-io/request/compare/v2.88.11...v2.88.12">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-08-02 06:57:45 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 3 commits

  • 3215c49a...907e3ccc - 2 commits from branch master
  • 859bd2d0 - Build(deps): [security] bump @cypress/request from 2.88.11 to 2.88.12

Compare with previous version

added 3 commits <ul><li>3215c49a...907e3ccc - 2 commits from branch <code>master</code></li><li>859bd2d0 - Build(deps): [security] bump @cypress/request from 2.88.11 to 2.88.12</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/1325/diffs?diff_id=750337193&start_sha=3215c49a1ee765629b29bff1e9fb987dcd587e70)
argoyle (Migrated from gitlab.com) merged commit into master 2023-08-02 06:58:04 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#1374
Delete Branch "dependabot-npm_and_yarn-cypress-request-2.88.12"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?